Covering the global threat landscape

Lessons learned while sinkholing botnets - not as easy as it looks!

Rainer Link Trend Micro
David Sancho Trend Micro

Botnets are a well-known security threat for businesses and end-users alike. They are made up of many infected computers under the control of a criminal or criminal gang. The main power of a botnet is in its numbers: the bigger it is, the more it can do because of the compounded bandwidth and computing power of its members. However, small botnets are also often used in order to stay beneath the radar. Sinkholing is a technique that aims to redirect the traffic meant for the malicious server to an analysis server owned by the researchers. In this way, the malicious traffic coming from each of the botnet clients goes straight to the research box, ready to be analysed.

This paper talks about the lessons we have learned from our previous experience of sinkholing botnets, as well as suggestions for researchers on how to realize this endeavour. We will discuss sinkholing as a vehicle for information gathering, and show how it is only of limited use in shutting down botnets. It is not the technical aspects of sinkholing that are interesting, as these are well known among researchers. Instead, the real-world difficulties involved in carrying out these operations will be covered. Some examples include the difficulty working with certain ISPs or Registrars, what to do when you are suddenly receiving large volume of Personal Identifiable Information (PII) and problems such as sinkholing a C&C server that is hosted on a compromised domain. We'll also cover best practices, things to avoid, areas where researchers should tread carefully and why a few drinks at the bar with an ISP technician are worth much more than years of experience with IP tables!