sponsors
usenix conference policies
SinkMiner: Mining Botnet Sinkholes for Fun and Profit
Babak Rahbarinia, University of Georgia; Roberto Perdisci, University of Georgia and Georgia Institute of Technology; Manos Antonakakis, Damballa, Inc.; David Dagon, Georgia Institute of Technology
Botnets continue to pose a significant threat to Internet security, and their detection remains a focus of academic and industry research. Some of the most successful botnet measurement and remediation efforts rely heavily on sinkholing the botnet's command and control (C&C) domains. Essentially, sinkholing consists of re-writing the DNS resource records of C&C domains to point to one or more sinkhole IP addresses, thus directing victim C&C communications to the sinkhole operator (e.g., law enforcement).
Sinkholes are typically managed in collaboration with domain registrars and/or registries, and the owner of the network range where the botnet C&C is sinkholed. Registrars often play a critical role in remediating abusive domains (e.g., by invoking rapid take-down terms commonly found in domain registration contracts, such as the "Uniform Rapid Suspension System"). Collaboration with the sinkhole network range owners is needed to endure the possible IP reputation damage to their IP space, since sinkholes may appear as real C&Cs to others.
While some sinkhole IPs are publicly known or can be easily discovered (see Section 2.1), most are jealously kept as trade secrets by their operators, to protect proprietary black lists of remediated domains. Therefore, third-party researchers are often unable to distinguish between malicious C&C sites and remediated domains pointed to sinkholes.
In some cases, this stove-piping of sinkhole information can cause "friendly fire", whereby security operators or law enforcement may take down an already sinkholed C&C. This results in disrupting remediation effort, and may in some cases bring more harm to the botnet victims (whose infected clients may turn to secondary or backup C&C domains not being remediated). It is therefore useful to build technologies capable of identifying whether or not a C&C domain and/or IP are part of a sinkholing effort.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Babak Rahbarinia and Roberto Perdisci and Manos Antonakakis and David Dagon},
title = {{SinkMiner}: Mining Botnet Sinkholes for Fun and Profit},
booktitle = {6th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 13)},
year = {2013},
address = {Washington, D.C.},
url = {https://www.usenix.org/conference/leet13/workshop-program/presentation/rahbarinia},
publisher = {USENIX Association},
month = aug
}
connect with us