What is a "sinkhole"?

Most botnets are controlled through the use of Command and Control (C2) servers.

C2 servers are set up to accept connections from members of the botnet (the infected computers) and give instructions on what the botnet is to do.

Many of the simpler botnets use a limited number of static (unmoving) C2 servers that are reached by IP address or domain name, and rely on staying hidden or located in places who are willing to ignore criminal behavior for long term survival.

More sophisticated botnets such as Zeus, Conficker and others use what are known as "domain generation algorithms" (or DGA) to periodically generate a new set of domain names. The DGA uses a "pseudo random" algorithm that permits the botnet controller to predict what the domains are at any given time in the future. The botnet controller merely has to register one (or a few) of these domain names and point them at C2 server[s] to issues commands to the botnet.

Anti-botnet researchers and law enforcement can often identify existing C2 domains or predict DGA domains in the same way that botnet controllers do. If they do that they can often acquire the domain and point it at a server of their own. These are called "sinkhole servers", or simply "sinkholes". Generally speaking sinkholes provide no instructions back to the infected computers, and merely record who connected to them.

Sinkhole servers are used for the following reasons:

  1. They can prevent the infected computers talking to the real C2 servers and thus prevent them from doing damage. For example: the Law Enforcement action on Gameover Zeus and Cryptolocker, or the earlier industry effort with Conficker.
  2. To perform basic research on the botnet - eg: how many infected computers there are.
  3. To provide lists of infected machines for notification/remediation/repair.