Sink Holes - Understand And Analyze Your Network

Sinkhole Routers/Networks

•Sinkholes are a topological security feature—somewhat analogous to a honeypot
•Router or workstation built to suck in traffic and assist in analyzing attacks (original use)
•Used to redirect attacks away from the customer—working the attack on a router built to withstand the attack
•Used to monitor attack noise, scans, data from misconfiguration and other activity (via the advertisement of default or unused IP space)
•Traffic is typically diverted via BGP route advertisements and policies
•Leverage instrumentation in a controlled environment—Pull the traffic past analyzers/analysis tools

Why Sinkholes?

•They work! Providers, enterprise operators and researchers use them in their network for data collection and analysis
•More uses are being found through experience and individual innovation
•Deploying sinkholes correctly takes preparation

BGP Trigger

•Leverage the same BGP technique used for RTBH
•Dedicated trigger router redistributes more specific route for destination being re-rerouted - Next-hop set via route-map
•All BGP-speaking routers receive update
•Complex design can use multiple route-maps and next-hops to provide very flexible designs

Anycast and Sinkholes

•Sinkholes are designed to pull in traffic, potentially large volumes
•Optimal placement in the network requires mindful integration and can have substantial impact on network performance and availability
•A single sinkhole might require major  re-engineering of the network
•Anycast sinkholes provide a means to distribute the load throughout the network