Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Overview
  • Workshop Organizers
  • Registration Information
  • Registration Discounts
  • At a Glance
  • Calendar
  • Workshop Program
  • Birds-of-a-Feather Sessions
  • Co-located Workshops
  • Sponsorship
  • Activities
  • Hotel and Travel Information
  • Students
  • Questions
  • Help Promote!
  • For Participants
  • Call for Papers
  • Past Workshops

sponsors

Bronze Sponsor

twitter

Tweets by @usenix

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » SinkMiner: Mining Botnet Sinkholes for Fun and Profit
Tweet

connect with us

https://twitter.com/usenixsecurity
https://www.facebook.com/usenixassociation
http://www.linkedin.com/groups/USENIX-Association-49559/about
https://plus.google.com/108588319090208187909/posts
http://www.youtube.com/user/USENIXAssociation

SinkMiner: Mining Botnet Sinkholes for Fun and Profit

Authors: 

Babak Rahbarinia, University of Georgia; Roberto Perdisci, University of Georgia and Georgia Institute of Technology; Manos Antonakakis, Damballa, Inc.; David Dagon, Georgia Institute of Technology

Abstract: 

Botnets continue to pose a significant threat to Internet security, and their detection remains a focus of academic and industry research. Some of the most successful botnet measurement and remediation efforts rely heavily on sinkholing the botnet's command and control (C&C) domains. Essentially, sinkholing consists of re-writing the DNS resource records of C&C domains to point to one or more sinkhole IP addresses, thus directing victim C&C communications to the sinkhole operator (e.g., law enforcement).

Sinkholes are typically managed in collaboration with domain registrars and/or registries, and the owner of the network range where the botnet C&C is sinkholed. Registrars often play a critical role in remediating abusive domains (e.g., by invoking rapid take-down terms commonly found in domain registration contracts, such as the "Uniform Rapid Suspension System"). Collaboration with the sinkhole network range owners is needed to endure the possible IP reputation damage to their IP space, since sinkholes may appear as real C&Cs to others.

While some sinkhole IPs are publicly known or can be easily discovered (see Section 2.1), most are jealously kept as trade secrets by their operators, to protect proprietary black lists of remediated domains. Therefore, third-party researchers are often unable to distinguish between malicious C&C sites and remediated domains pointed to sinkholes.

In some cases, this stove-piping of sinkhole information can cause "friendly fire", whereby security operators or law enforcement may take down an already sinkholed C&C. This results in disrupting remediation effort, and may in some cases bring more harm to the botnet victims (whose infected clients may turn to secondary or backup C&C domains not being remediated). It is therefore useful to build technologies capable of identifying whether or not a C&C domain and/or IP are part of a sinkholing effort.

Babak Rahbarinia, University of Georgia

Roberto Perdisci, University of Georgie and Georgia Tech

Manos Antonakakis, Damballa, Inc.

David Dagon, Georgia Tech

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {179236,
author = {Babak Rahbarinia and Roberto Perdisci and Manos Antonakakis and David Dagon},
title = {{SinkMiner}: Mining Botnet Sinkholes for Fun and Profit},
booktitle = {6th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 13)},
year = {2013},
address = {Washington, D.C.},
url = {https://www.usenix.org/conference/leet13/workshop-program/presentation/rahbarinia},
publisher = {USENIX Association},
month = aug,
}
Download
Rahbarinia PDF
View the slides

Presentation Audio

MP3 Download OGG Download

Download Audio

  • Log in or    Register to post comments

Bronze Sponsors

© USENIX

  • Privacy Policy
  • Contact Us