Bots don’t sleep, ransomware finds new ways to infiltrate systems and yesterday’s defenses may be ineffective tomorrow. Cybersecurity requires vigilance. But vigilance alone won’t suffice. That’s why threat researchers and enterprise security analysts need effective tools to detect malware indicators and protect systems. Luckily, DNS sinkholes do both.
What’s a DNS Sinkhole?
In the Internet’s vast highway of connections, DNS sinkholes redirect network traffic. They intercept packets attempting to reach a certain address and reroute them. Consequently, both good and bad actors use sinkholes.
In cybersecurity, researchers use their power for good.
For example, remember the Wannacry ransomware attack? It affected more than 200,000 computers in 150 countries. Do you know what stopped its spread? A sinkhole. A security company deployed it. That sinkhole slowed the attack’s progress, giving businesses time to install a patch that inoculated their machines.
To be honest, they had a little help. Wannacry had a built-in fault that left it vulnerable. Its creators hardcoded a single static domain name into the malware. It was supposed to be a kill switch if they wanted to stop its spread. One problem: the static domain was left available for registration. So for less than $11 to register the domain and with the infrastructure and bandwidth to support a massive sinkhole, a cybersecurity researcher on vacation flipped the switch and funneled all that traffic into a waiting abyss.
It bought just enough time to get in front of the spread and contain the threat. Most DNS sinkholes operate a bit differently of course. Administrators design them to find a broad array of threats, not just one.
Using DNS sinkholing, threat researchers capture, monitor and analyze malicious Internet traffic in real time. Certainly one of the most obvious indicators of maliciousness is an attempt to connect to a known botnet command and control (C2) server. When users attempt to connect to an identified C2, a false, controlled IP address is returned and the traffic actually goes to a sinkhole, a server that an administrator controls.
Why Use a Sinkhole?
Once traffic goes to a sinkhole, threat researchers can tell which computers may be infected and notify users. Not only that – seeing how machines communicate with a malicious domain allows threat researchers to craft defenses that counter those tactics, techniques and procedures (TTP).
Then they can share the collected intelligence. This effectively neutralizes certain attack TTPs because over time the defense becomes an industry standard. After that, though every company may not adopt the defense straight away, they now have the ability to do so.
Companies differ, but often the strategies used to attack them don’t. It’s one advantage we’d do well to exploit.
For this reason, white hat sinkhole IP addresses are a useful tool for both reactive and proactive cybersecurity. With the valuable data contained in them, threat researchers can detect potential malware, protect their networks and contribute to the safety of the entire Internet.
How Can You Start Using DNS Sinkholes?
If you want to find DNS sinkholes, there are a few tested methods for identifying them. First, try reviewing the WHOIS nameservers information and SSL certificates. These are probably the two most straight-forward sources. Because of this, you’ll probably find more security companies sinkholing for research purposes.
On other side of the spectrum, you can find instructions for setting up a sinkhole with some basic research. Just make sure that you use a trusted source or software solution. For a deeper dive and more comprehensive view, Malware Patrol offers a data feed that contains IPv4 addresses of white hat sinkholes. It’s updated every 12 hours so the feed stays fresh.
Whichever method you choose, DNS sinkholes are an infosec tool worth acquiring to detect, protect, and anticipate the next threat.
By Tenea D. Johnson
Founder, Progress By Design