Sinkholes are why you see companies register a bunch of weird domain names.
Palo Alto Networks Inc was granted a patent today related to domain sinkholing, and it’s a continuation patent of one that was granted in 2016.
It reminded me of times I’ve seen companies (notably Microsoft) register a bunch of nonsensical domain names. Why would a company register a lot of domains with random digits and letters?
The answer is often that it’s a sinkhole.
A sinkhole redirects or blocks traffic meant for a destination. They are used by the security community to stop botnet traffic, phishing and other bad activity.
There are many ways to create a sinkhole. An ISP can simply divert traffic from the IP address nameserver you see in Whois to another. A company (or the government) can also go through the courts to get control of a domain name and then change its nameservers.
Some malware campaigns continually register new domain names as their other names get snuffed out and blocked by security companies. It’s sometimes possible to figure out what the future domain registrations will be, and that’s when you might see a company register a huge list of odd domain names. They know what domains the malware will register next, so the company registers the domains to prevent them from being registered by the bad guys.
A famous example of registering a domain to stop an attack was the domain name iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea(.)com. A person researching the WannaCry ransomware noticed this domain in the malware and registered it. It turns out that registering the domain acted as a killswitch. The malware was programmed to check in on this domain and stop if the domain was registered.
While the WannaCry example isn’t a typical sinkhole, it’s interesting to think about how domain names are used to propagate malware and botnets, and how registering domains can thwart the bad guys.
Tim Chen says
People interested in this topic can read up on DGAs, domain generation algorithms.
Separately, it should be noted that an IP address for a domain is not technically part of “Whois” although many people probably make that association. IP addresses are in the A or AAAA records in DNS.
Andrew Allemann says
Thanks Tim. I meant to say “nameserver”, not IP address, although that might be technically off from what happens when the traffic is diverted.