One of the most effective methods for tracking actor-based attack campaigns is to take control of as much of their infrastructure as possible and remove their access to infected hosts before they can react. The processing of takeovers can vary, but often times registrars or hosting providers will provide the defenders (good guys) with the ability to re-route incoming traffic to a server they control in order to perform analysis of the compromised check-ins. This particular practice is commonly known as sinkholing.
Sinkholes are an invaluable resource in threat infrastructure research. Not only do they help block existing attacks and allow for responsible victim notification, but they also provide a wealth of intelligence about the attacker’s tools, tactics and procedures (TTPs). Unfortunately, they also serve as the perfect mechanisms for grouping potentially unrelated traffic. In order to retain sources, stay ahead of attackers and protect research, sinkhole operators will not always be forthcoming with their hosted infrastructure and thus it requires a body of knowledge by the analyst in order to recognize a sinkhole when conducting research.
Within the PassiveTotal platform, we’ve compiled a sinkhole registry derived from public, private and community feedback. Using our global tags, we associate a “sinkhole” tag to any IP address that’s found within our dataset. Our repository is not exhaustive though, so we’ve put together a number of ways to potentially identify a sinkhole.
Check the IP
Depending on the operator, identifying a sinkhole could be as easy as viewing the content being served up on port 80. For example, 18.104.22.168 literally tells you it’s a sinkhole when you browse to it. Note, when connecting to potentially malicious infrastructure, use a virtual machine to avoid infection and be aware of any monitoring on your network.
In order to handle incoming potential victim traffic, sinkhole operators will need to monitor for known command and control traffic on all ports used by the actor’s malware. In certain instances actors are using port 443 for encrypted communications. If you are lucky, the SSL certificate will point out that the server is a sinkhole.
Multiple Actors in One Place
While actor infrastructure can overlap at times, it is rare for a security analyst to find an actor owned IP address resolving domains used for command and control for multiple actors groups. If an analyst comes across multiple intrusion sets on the same IP address, it may be an indication that the IP in question is a sinkhole.
Similarly, while it’s not impossible for a large swath of actors to change their infrastructure all on the same day at the same time, it’s not plausible. If you notice a bunch of usually unrelated infrastructure all of a sudden showing overlap at roughly the same time, with very similar first seen and last seen resolution dates, it is possible the IP address you are researching is a sinkhole.
High Daily Association Counts
For many websites, changing infrastructure on a daily basis is a rare event. It’s possible that a website could be load-balanced across multiple IP addresses, but to have it change to something new everyday would be strange. Conversely, having a whole bunch of domains move over to a new IP address could also be strange.
Using the PassiveTotal heatmaps, it’s possible to identify infrastructure with a high rate of daily change simply by looking at the counts in each square. If the count is high and it also happens to host a bunch of new domains all the time, then it could be a sinkhole.
WHOIS and Nameservers
Sinkholes may also be easily and quickly be identified by analysts through viewing the WHOIS tab and reviewing the nameserver information associated with a domain. In the example below you can see that the domain is currently associated with ns1.sinkholio.com and ns2.sinkholio.com, both name servers are actively used by a security research organization for sinkholing domains and are aptly named. Seeing this nameserver allows an analyst to be fairly confident that they IP address this domain resolves to is a sinkhole.
Companies like Kaspersky are very public about their sinkholing operations and will sometimes list the domain or IP address as sinkholed next to their indicators of compromise.