Lessons learned while sinkholing botnets - not as easy as it looks!
Rainer Link Trend Micro
David Sancho Trend Micro
Botnets are a well-known security threat for businesses and end-users alike. They are made up of many infected computers
under the control of a criminal or criminal gang. The main power of a botnet is in its numbers: the bigger it is, the more
it can do because of the compounded bandwidth and computing power of its members. However, small botnets are also often
used in order to stay beneath the radar. Sinkholing is a technique that aims to redirect the traffic meant for the
malicious server to an analysis server owned by the researchers. In this way, the malicious traffic coming from each of
the botnet clients goes straight to the research box, ready to be analysed.
This paper talks about the lessons we have learned from our previous experience of sinkholing botnets, as well as
suggestions for researchers on how to realize this endeavour. We will discuss sinkholing as a vehicle for information
gathering, and show how it is only of limited use in shutting down botnets. It is not the technical aspects of sinkholing
that are interesting, as these are well known among researchers. Instead, the real-world difficulties involved in carrying
out these operations will be covered. Some examples include the difficulty working with certain ISPs or Registrars, what
to do when you are suddenly receiving large volume of Personal Identifiable Information (PII) and problems such as
sinkholing a C&C server that is hosted on a compromised domain. We'll also cover best practices, things to avoid,
areas where researchers should tread carefully and why a few drinks at the bar with an ISP technician are worth much more
than years of experience with IP tables!