2. Fighting Botnets with Sinkholes
• Also known as DNS Sinkholes or DNS Blackholes
• Spoof DNS servers to prevent resolving host names of specified URLs
• Most botnets rely on Command and Control servers (C&C)
• One way to deal with them is to seize control.
3. • Data flow for DNS
resolution in a sinkholed
botnet.
• SANS Institute.
4. Issues with Sinkholes
• Sinkholes can collect information about victim computers
• Monetizing the data
• Should only track GET requests not POST
• ISP's and registrars might be unwilling to cooperate.
• If site is a .com the registrars more likely to help.
5. Botnet Spoofing
• Botnet spoofing tricks bot to spread BotSpoofer rather than itself.
• Similar to cockroach killer which spreads infection to swarm.
• Targets self-propagating persistent botnets.