Over the years, cybersecurity has evolved tremendously \u2014 for both white hat hackers and threat actors. Botnets have also gained good traction.\u00a0 Botnets are nothing but compromised computer systems that are managed by third parties. These computers are used to carry out different types of attacks such as deploying malware, stealing data, DDoS attack etc.\n\nThe major challenge for white hats is to figure out the main culprit behind the attack as the identity of the botnet manager gets difficult to find. This is where Sinkholing comes into the picture.\n\nWhat Is Sinkholing?\n\nSinkholing is a way of manipulating the flow of data from one point to another in a network. Simply put, it is basically a method of preventing some specific traffic to reach the desired server. This is done by simply rerouting or redirecting the traffic in a network from its original to an altered server (called as Sinkhole) which is also owned by the same owner as the main server.\n\nSinkholing is that cybersecurity technique that is nothing less than a double-edged sword. This implies that it can have adversarial uses such as steering legit traffic away from its intended recipient. However, over the years, this method has gained significant traction when it comes to fighting malware as it is mostly used by anti-malware researchers to collect information about a botnet. The alternate server poses as one of the C2 (command-and-control) servers in the botnet. And once the malicious traffic lands to the sinkhole server, they are then analysed by researchers to understand the source of attacks and prevention methods as well.\n\nAt the enterprise level, this technique of sinkholing is also used to restrict access to any website. For example, if someone is trying to violate corporate policies by accessing web pages that are not allowed in the corporate world, they end up landing to a customised page (this page can be created with information about the corporate policy restriction) and their data gets stored there that the firm can be used to take further action.\n\nWhen it comes to tracking down criminals, government bodies responsible for maintaining safe cyberspace uses this to carry out investigations and criminal infrastructure takedowns.\n\nFurthermore, Sinkholing has become so popular that today, even ISPs are using it to defend their networks and customers, and manage traffic flow.\n\nTypes Of Sinkholing And Challenges\n\nInternal Sinkholing: This sinkholing is focused on an organisations network. It is basically used to figure out which all systems are infected and can cause an adversarial effect on the network. Once the machines are identified, organisations take back control of the machines.\n\nExternal Sinkholing: Despite its effectiveness, it is considered to be one of the controversial methods. The main reason behind this is that any machine on the internet can be manipulated, registering known malicious domains (usually the ones which expires).\n\nDespite the fact that sinkholing is one of the effective methods to fight against malware, there are some significant challenges. One of the major challenges is with the external sinkholing, and that is the legal issues. For example, if a victim who is not from your organisation is trying to access a sinkholed URL by your company, and if you take control of that victim machine (even if it is just for research purposes), it goes against the protocols in many regions.\n\nMany malware that is deployed using sinkholing has the option of self-destruction, but that doesn\u2019t mean you can take control of any machine that lands on the sinkhole. However, there is a solution to this that is also becoming really popular. By using the reverse DNS, many sinkholes nowadays first identify whether the machine is infected or malicious.\n\nOutlook\n\nOver the past few years, Sinkholing has been used in several malware campaigns \u2014 as defender and attacker. However, the defence side is much more effective. Also, there were times when Sinkholes techniques couldn\u2019t succeed but managed to thwart malware from spreading.\n\nWhile many believe Sinkholes are not as significant as other cybersecurity strategies, one cannot deny the fact that they play a major role in network security. After all, who would want to invite infectious traffic to their website?