Hacker tools and terminology expand alongside technology. This series will cover emerging hacking strategies and how to avoid them. The first term we will cover is known as “sinkholing”.
No one enjoys being hacked even if it is something as simple as a friend “hacking” your Facebook. So, it pays to know a little bit about terms and tools in the hacker lexicon.
“Sinkholing” is one of the latest terms to emerge. Unlike some terms, its name implies its meaning.
Imagine yourself in a city approached by torrential rain. Perhaps you have a seawall to prevent storm surges or sewers that prevent flooding. These reservoirs catch overflow to prevent disaster. That’s exactly how a digital sinkhole works.
We are moving toward automation and Industry 4.0. That means needing to know more about digital spaces, hardware, and data protection. Even if you aren’t a Twitch streamer getting DDoS’d, knowing about terms like these will be necessary in the near future.
So how can you leverage sinkholing to protect yourself against hackers?
What is Sinkholing?
Just like a physical sinkhole, a digital sinkhole can be used as a repository. In most internet traffic cases, this sinkhole is used to store overflow.
As an anti-hacking utility, sinkholes are used to redirect malicious traffic away from a main network server. In addition, sinkholes redirect normal traffic trying to reach a specific point when the traffic load is simply too high. Most often, sinkholing is used to combat DDoS attacks.
It is a useful tactic favored by many cybersecurity professionals including those with the SecureLink UK. In the below video, a specialist elaborates on Palo Alto DNS Sinkholing. But it gets really intense really fast.
It may be a short video, but if you are unfamiliar with many of the terms, you’ll be in the weeds quickly. What you would need to first understand is how botnets communicate with DNS servers.
This video from Udacity does a pretty good job of explaining the process.
As covered in a recent article about the Mirai botnet, bots can overload servers with extreme efficacy. The Mirai botnet effectively knocked the entire country of Liberia offline. Botnets do this by flooding a network with fake traffic via bots. This is a type of DDoS attack.
Now you can see how a gigantic digital sinkhole can come in handy in a botnet attack.
In What Settings Does Sinkholing Work?
As with other hacker tools, there are specific situations for certain tools. Sinkholing works no differently and can be used for malicious or beneficial intent.
Darien Huss, a Proofpoint senior security research engineer, told WIRED just how sinkholing operates.
“Let’s say you want to visit WIRED’s website on your computer . . . You first open a web browser and type the domain name, wired.com, into the address bar and press Enter. Typically, the Domain Name System server would respond with the IP address where wired.com is hosted; however, if the domain was sinkholed, your browser would be redirected to an IP address other than WIRED’s.”
As showcased in both videos above, sinkholing requires changes to the DNS system. You simply reroute traffic using a different IP address. So, to be frank, sinkholing gets used every single day.
It is a workhorse among hacker tools applicable to threat analysis, network management, and research. The most significant scenario requiring sinkholing is a large-scale attack.
Some of our readers may remember the huge WannaCry ransomware attack in May of 2017. It locked up the UK’s National Health Service along with other critical global systems. But, as if out of a Mr. Robot episode, a “kill switch” staved off a worse attack.
That “kill switch” actually functioned like a sinkhole, according to Marcus Hutchins. You might know this security researcher better as MalwareTech. This is the person responsible for stopping the North Korean WannaCry attack.
How Sinkholing Prevented WannaCry Dissemination
Security researchers like Hutchins worked to reverse engineer the WannaCry attack. After all, reverse engineering isn’t just the only way I could do a physics problem in high school.
You can identify vulnerabilities in programs including ransomware. This process led Hutchins to a “nonsense URL” on a live web page. The weird thing about this URL is that the domain had no owner. This prompted Hutchins to purchase the domain for himself.
For just $10.69 USD, Hutchins purchased the domain and WannaCry shut down.
The developers responsible for WannaCry had their ransomware pointing to a static domain. Once that domain wasn’t available, the program shut down per its instructions.
If WannaCry had routed to random domains, this gambit might not have worked.
Hutchins then rerouted WannaCry traffic to his domain, studying the queries. While he couldn’t decrypt infected devices or block the malware, he did add time. In that time, administrators could patch their systems and gain a bit more control. Still, this defense almost failed.
As Hutchins told WIRED:
“A sinkhole is a server designed to capture malicious traffic and prevent control of infected computers by the criminals who infected them . . . the sinkhole servers were coming dangerously close to their maximum load . . . due to a very large botnet we had sinkholed the previous week eating up all the bandwidth.”
So that shows us one weak aspect of the sinkholing technique. You have to ensure that you can accommodate the volume of bots in your sinkhole domain.
Hacker Tools and Terms for Non-Hackers
After the high profile nature of the WannaCry attack, sinkholing has penetrated mainstream conversation. As such, some individuals and companies seek to leverage this for others.
Some sources went so far as to define sinkholes, botnets, the Darknet, and Honeypots.
Just as an FYI, a “Darknet” is usually a small file sharing network. They use friend-to-friend/peer-to-peer connections or privacy networks like Tor. It is generally easier to detect malicious activity due to the small number of users.
Honeypots function a bit differently.
Using decoy servers, honeypots simulate computer networks to test network security. These networks record hacker actions such as searching for poorly defended devices.
They can detect would-be attacks to mitigate virus risk.
Things like this may not seem too important now; it might just be the IT guy’s problem. But, as we approach an IoT future, the interconnection levels will require more knowledge.
Knowing about hacker tools might become as ubiquitous as knowing about Starbucks.
Take the initiative to learn about hacker tools, terminology, and protection. That starts with knowing what sinkholing and what sinkhole domains are.
A Brief List of Sinkhole Domains for Reference
You can find an easy to navigate list of sinkhole domains here. You will see some familiar names such as Kaspersky and Microsoft with their own sinkhole domains.
I even found a barebones tutorial on how to set up a DNS sinkhole.
As we move forward with this hacker tools and terminology series, we will explore more tactics and strategies employed by hackers.