Sinkholes and Trapping Malicious Traffic

The basic concept of a sinkhole is not new and has been around for many years as a security tool. It has not been very wifely used until the last few years where researchers and security companies have begun looking at it as tool to help determine infections and mitigate threats. A sinkhole is basically a system that is able to receive different types of traffic such as HTTP or SMTP (E-Mail), and log that traffic. Most systems will attempt to gather as much information as possible about the connections and connecting machines. This information can then be used for a variety of purposes from simple remediation and reporting to some commercial advantage.

Whatever the purpose one is set up for, it can be a very valuable tool for security organizations.

How does Shadowserver run their Sinkholes

Carefully. Working with friendly registrars we have been registering previously and future malicious domain names and pointing those records to our sinkhole servers. This means that if there are any infections still attempting to access previously malicious domain names, we can track and report those out. In the case of future malicious domain names, we are helping take a preventive measure by tracking up coming infections such as Srizbi and Conficker/Downadup.

How does the Technology really work?

Here is a diagram to show the flow and processes of how ours works: