Sinkholing as a Way to Improve Network Security

By:  |  Category: Blog, Security Wednesday, January 3rd, 2018  |  No Comments

Curious about what a sinkhole is? In the tech realm a sinkhole is not when the ground collapses from an excess of water and streets and homes disappear.

Think of sinkholing as targeted redirecting. Let’s say that you made too much chili last night for dinner so you pull out the storage containers and freeze a batch for later. Or, when you have too many emails from one sender so you label them and redirect to a specific folder so it doesn’t fill up your inbox. It could also be when you are inundated by junk from a botnet attacking your network and you redirect all that malicious traffic into a sinkhole.

Sinkholing is a method for manipulating data flow in a network; you redirect traffic from its intended destination to the server of your choice. Sinkholing can be used to do harm or to navigate legitimate traffic away from its intended recipient, but security professionals more commonly use sinkholing as a tool for research and reacting to attacks.

When bots in a botnet phone home to their command and control server, for example, you could sinkhole the domain they reach out to, diverting the requests so that you can monitor activity on the botnet, track the IP addresses contacting the domain, or neuter it so the bots can’t receive commands. Law enforcement also utilizes the technique in investigations and large-scale criminal infrastructure takedowns. More broadly, internet infrastructure companies like ISPs and content delivery networks use sinkholes every day to defend their networks and customers, and manage traffic flow.

“Let’s say you want to visit the online tech magazine WIRED’s website on your computer,” says Darien Huss, a senior security research engineer at the security intelligence firm Proofpoint. “You first open a web browser and type the domain name, wired.com, into the address bar and press Enter. Typically, the Domain Name System server would respond with the IP address where Wired is hosted; however, if the domain was sinkholed, your browser would be redirected to an IP address other than WIRED’s.”

Many sinkholes rely on changes to the DNS system (essentially the phonebook lookup of the internet) to route traffic where they want it to go. It requires taking over the domain name you want to monitor, which can be tricky, but law enforcement can get court orders to transfer ownership, or researchers sometimes set up automated systems to quickly take control of malicious domains when their registry expires. You can also create other types of sinkholes that reroute traffic from the original target IP address to the sinkhole address, using a mechanism like a firewall or a router.

Sinkholes are workhorse tools used in day-to-day network management, research, and threat analysis, but they occasionally play a critical role in containing dramatic threats. Security researcher Marcus Hutchins, who goes by MalwareTech, famously set up a sinkhole that halted the massive May WannaCry ransomware outbreak. As WannaCry spread, Hutchins and security researchers around the world worked to reverse-engineer samples of it, looking for flaws or weaknesses. Hutchins noticed that the ransomware was programmed to check whether a certain nonsense URL led to a live web page, but the domain wasn’t owned by anyone. So he did what any good, but confused security researcher would do: He spent $10.69 to register the domain himself.

It turned out that the ransomware was checking to ensure that the domain was inactive, and had been programmed to shut down if it found the domain was live. The mechanism was basically acting as a kill switch, but the North Korean developers behind WannaCry made the mistake of pointing the check to a static domain instead of one that randomly changed.

Because of this flaw, Hutchins was able to set up the domain and point it to his own sinkhole servers to contain and study WannaCry queries. “A sinkhole is a server designed to capture malicious traffic and prevent control of infected computers by the criminals who infected them,” Hutchins wrote in a review of the WannaCry episode. He notes that after he registered the domain, “the sinkhole servers were coming dangerously close to their maximum load … due to a very large botnet we had sinkholed the previous week eating up all the bandwidth.”

Hutchins’s sinkhole didn’t decrypt computers that were already infected with WannaCry, and it couldn’t block the malware from being rewritten without the crippling domain check. But it did buy time for the security and internet infrastructure community to get control of the situation, and for administrators to patch their systems against the ransomware.

Though sinkholes don’t usually have such an outwardly exciting role in network security, they are an important tool. And in security, it’s a satisfying feeling knowing you have malicious traffic trapped in your sinkhole, and not out scamming and scheming the world at large.

If you need assistance with network security give EnhancedTECH a call at 714-970-9330 or contact us at [email protected] for a free consultation.


source image: https://www.pexels.com/photo/low-light-photography-of-white-arrow-833317/

Leave a Comment
Read previous post:
Are your IoT Devices exposing you to Hackers?

Most likely Christmas brought you a few nifty gifts under the tree, but for some folks it may have also...