What is a sinkhole IP?
What is a sinkhole IP?
In order to explain a sinkhole, first we need a brief explanation about how botnets work:
- Most botnets are controlled through the use of Command and Control (C2) servers.
- C2 servers are set up to accept connections from members of the botnet (the infected computers) and give instructions on what the botnet is to do.
Many of the simpler botnets use a limited number of static (unmoving) C2 servers that are reached by IP address or domain name, and rely on staying hidden or located in places who are willing to ignore criminal behavior for long term survival.
More sophisticated botnets use what are known as an “domain generation algorithm” (or DGA) to periodically generate a new set of domain names. The DGA uses a “pseudo random” algorithm that permits the botnet controller to predict what the domains are at any given time in the future.
- The botnet controller merely has to register one (or a few) of these domain names and point them at C2 server[s] to issue commands to the botnet.
Sinkholes
Anti-botnet researchers and law enforcement can often identify existing C2 domains or predict DGA domains in the same way that botnet controllers do.
They can often acquire the domain and point it at a server of their own. These are called “sinkhole servers”, or simply “sinkholes”.
- Generally speaking sinkholes provide no instructions back to the infected computers, and merely record who connected to them.
Sinkhole servers are used for the following reasons:
- They can prevent the infected computers talking to the real C2 servers and thus prevent them
from doing damage. - To perform basic research on the botnet – eg: how many infected computers there are.
- To provide lists of infected machines for notification/remediation/repair.
If your IP is hitting a sinkhole, blocking the IP from connecting to the sinkhole is not going to fix the botnet infection. Please find the infected machine and fix it. If needed, call professional assitance.
Back