SinkMiner: Mining Botnet Sinkholes for Fun and Profit

Botnets continue to pose a significant threat to Internet security, and their detection remains a focus of academic and industry research. Some of the most successful botnet measurement and remediation efforts rely heavily on sinkholing the botnet’s command and control (C&C) domains [1]. Essentially, sinkholing consists of re-writing the DNS resource records of C&C domains to point to one or more sinkhole IP addresses, thus directing victim C&C communications to the sinkhole operator (e.g., law enforcement). Sinkholes are typically managed in collaboration with domain registrars and/or registries, and the owner of the network range where the botnet C&C is sinkholed. Registrars often play a critical role in remediating abusive domains (e.g., by invoking rapid take-down terms commonly found in domain registration contracts, such as the “Uniform Rapid Suspension System” [3]). Collaboration with the sinkhole network range owners is needed to endure the possible IP reputation damage to their IP space, since sinkholes may appear as real C&Cs to others. While some sinkhole IPs are publicly known or can be easily discovered (see Section 2.1), most are jealously kept as trade secrets by their operators, to protect proprietary black lists of remediated domains. Therefore, third-party researchers are often unable to distinguish between malicious C&C sites and remediated domains pointed to sinkholes. In some cases, this stove-piping of sinkhole information can cause “friendly fire”, whereby security operators or law enforcement may take down an already sinkholed C&C. This results in disrupting remediation efforts, and may in some cases bring more harm to the botnet victims (whose infected clients may turn to secondary or backup C&C domains not being remediated). It is therefore useful to build technologies capable of identifying whether or not a C&C domain and/or IP are part of a sinkholing effort. In this paper, we present SinkMiner, a novel forensics system that enables the discovery of previously unknown sinkhole IPs and the related sinkholed domains by efficiently mining large passive DNS databases. Being able to discover “secretive” sinkhole operations has both benign and not-so-benign implications. On a purely benign side, labeling previously unknown sinkhole IPs may prevent “friendly fire,” as mentioned above. Also, the discovery of sinkhole IPs may enable a much more precise measurement of the effective lifetime of C&C domains. On the other hand, the ability to identify sinkhole IPs may allow less-than-honest researchers to collect all related sinkholed domains, which could then be re-sold to thirdparties as part of a domain blacklist, thus unfairly taking advantage of the often very meticulous and costly work done by the sinkhole operator. Our system’s ability to detect previously unknown sinkhole IPs is based on a somewhat surprising empirical observation: sinkhole operators often relocate C&C domains from a sinkhole IP to another (see Section 2.2). Therefore, given a small seed of known sinkhole IPs, we can leverage passive DNS databases to monitor the “behavior” or their sinkholed domains to track where they relocate — effectively discovering “by association” previously unknown sinkholes. This is in stark contrast with what common knowledge may suggest, namely that once a C&C domain falls into a sinkhole it will never escape until it expires or is “retired” by the sinkhole operator, making