My IP Help

Sinkhole

A technique that redirects traffic destined for a malicious domain or IP to a defender-controlled server, cutting off botnet command-and-control and collecting victim telemetry.

Last updated:

What is a sinkhole?

Sinkholing is the practice of redirecting traffic that was heading to an attacker-controlled destination so it lands on a defender-controlled server instead. Two common implementations are used:

  • DNS sinkhole — a DNS resolver (ISP, enterprise, or authoritative registrar) returns a controlled IP for a blocked domain. Every infected host that tries to resolve the C2 hostname ends up talking to the sinkhole instead of the attacker.
  • BGP sinkhole — an upstream announces a more-specific route for the attacker's IP to pull traffic away; common for mitigating DDoS and for law-enforcement takedowns

Either way, the infected clients are still running their malware, but it is now talking to defenders instead of to its command-and-control server.

What sinkholes are used for

  • Botnet takedowns — seizing a C2 domain and sinkholing it cuts the attacker's control over the bots and gives defenders a census of infected hosts. The 2011 Coreflood takedown, the 2014 GameOver Zeus seizure, and the 2021 Emotet disruption all used sinkholing to enumerate and notify victims.
  • ISP-level safe browsing — Quad9 and similar public resolvers sinkhole known malicious domains for all their users
  • WannaCry kill-switch — researcher Marcus Hutchins' accidental sinkhole of WannaCry's kill-switch domain effectively stopped the worm in May 2017

Telemetry value

A sinkhole receives every beacon from every infected host on the internet, producing one of the richest sources of victim IP data. Those feeds power the notifications defenders send to compromised organizations and the reputation signals for infected IPs.

Check whether an IP has been observed checking into sinkholed C2 infrastructure with our IP abuse report checker.

Frequently Asked Questions

Researchers, ISPs, and law-enforcement teams in coordination with domain registrars, registries, or hosting providers. Seizing a malicious domain to sinkhole it requires legal authority — typically a court order or a registrar's anti-abuse policy invocation. Defensive sinkholing inside one's own network (DNS RPZ, enterprise firewall) needs no external authority. Offensive sinkholing of someone else's infrastructure without authorization is itself a computer crime in most jurisdictions, even when the target is malicious.
A sinkhole impersonates an attacker-controlled destination — typically a C2 server — so infected hosts beacon to the defender instead of the attacker. A honeypot impersonates a victim — a deliberately vulnerable server set up to attract attackers so their behavior can be observed. Sinkholes observe victims (the infected hosts that connect to the former C2). Honeypots observe attackers (the actors who connect to the decoy). Both are passive observation tools with no offensive component.
Generally no — sinkholing only cuts the malware off from its C2 server. The malware itself remains on the infected host, typically dormant but still installed. Some sinkhole operators have attempted active "uninstall" commands by replaying the malware's protocol with a self-removal payload, but this is legally risky in most jurisdictions even when well-intentioned. The sinkhole's main value is intelligence and disruption, not cleanup; victim notification through ISPs and CERTs handles the remediation step.
In May 2017, the WannaCry ransomware worm spread rapidly across the internet by exploiting an SMB vulnerability. Researcher Marcus Hutchins (MalwareTech) reverse-engineered a sample, noticed it queried a long random-looking domain, and registered the domain to track infections. The malware's design used that domain query as a kill-switch — if it resolved, the malware exited. Hutchins' registration effectively sinkholed the kill-switch and stopped the worldwide outbreak within hours. It is one of the most consequential accidental sinkholes in security history.
Yes. Quad9 (9.9.9.9) sinkholes known malicious domains by design — it is the explicit value proposition. Cloudflare's 1.1.1.1-for-Families (1.1.1.2 and 1.1.1.3) sinkholes malware and adult content respectively. Many enterprise DNS resolvers and ISPs run RPZ-based sinkholes against threat-intel feeds. The user-visible behavior is just "this domain doesn't resolve" — the protective filtering happens silently below the application.
Back to glossary