A botnet sinkhole is a tactic used by security professionals to redirect malicious botnet traffic into a reserve where it is analyzed and weaponized against the malicious bot or botnet activity.
As bots or a botnet communicate with their command and control (C&C) server, the location is discovered by law enforcement authorities. The security analysts redirect DNS traffic meant for the original C&C server to a fake C&C server owned by the authorities.
Sinkholing is a the neutral tactic that is employed by engineers to redirect traffic to a dedicated location such as a server configured for that purpose. In the benign case, security professions that have detected malicious botnet traffic to their resources can sinkhole the traffic to initiate defensive practices such as neutralizing or destroying the botnet. Malicious sinkholing often takes the form of hackers redirecting desirable web traffic from its intended destination, for example a legitimate website, to deny its recipient profit or the traffic itself.
Botnet sinkholes are a marriage of sinkholing and cybersecurity, used by those who are tasked with the responsibility to disrupt growing instances malicious botnet activity. The malicious code isolated into the sinkhole becomes the security engineers’ resource for analysis and tailored actions that law enforcement takes against the botnet.
“There’s a ton of suspicious requests coming to our site in a DDoS attack. Our team is sink-holing the traffic for analysis but for now, we’re putting out fires and blacklisting whatever inbounds we can.”