Sinkholes: How to Use Deception Technology to Serve as an Intelligent Sinkhole

Doron Kolton
Deception CTO

A sinkhole is a system used by security teams to fight, block, and collect information about adversaries infiltrated the organization. It is also used by security researchers to collect information about botnets activities and the adversaries’ PPTs.


Most common to security professionals is a DNS sinkhole[1]. This provides the prevention of malicious and unwanted activity occurring between organization computers system and the Internet. This blog focuses on how deception technology can serve as an intelligent sinkhole. Deception technology can assist in collecting information about the adversaries’ goals of already infected assets inside the organization and how they tried to reach those goals.

Deception collects vital intel on attackers

Organizations use Threat Intelligence to block the communication of attackers that infiltrated the organization with Command and Control (C&C) servers on the Internet. Such blocking can be done using a FW, IPS, and other security gateways based on TI. Blocking prevents the operations of the adversaries when they try to connect with C&C or when they try to access assets that they should not be accessing. However, by “just” blocking the attackers, the defenders cannot learn about the adversaries’ goals, PPTs, etc. For example, what protocols the attackers are using, what they are looking for, which tools they use, etc. Using deception, the defenders can gather all this information and more. 

The method of using deception as an intelligent sinkhole

Using deception as an intelligent sinkhole relies on rerouting the suspicious traffic and the unidentified traffic to a Decoy Server. This can be done through the organization’s DNS server, the FW or the IPS. The traffic that will be directed to the Decoy Server might include any ports or protocols the adversary is using to carry the attacks or to connect with the C&C server. The Decoy Server itself is configured to have relevant ports open and, with applications running on these ports, capable of interacting with the adversary. It should include HTTP(S) application, FTP application, database servers, DNS server and more. A Concurrently local services like shared folders and RDP should be configured.

The decoys services can be on the same IP address or running on different IP addresses (by using the DNS server on the Decoy Server itself). This configuration should follow the configuration used by the organization.

sinkhole diagram

DNS Decoy

When a DNS is used to redirect the adversaries’ traffic to the decoy server, the DNS decoy should be configured on the Decoy Server. The organization’s DNS server should then forward the DNS request to the decoy DNS server which returns the IP addresses of the decoys. You can have multiple decoys running on multiple IP addresses. Each can run multiple services and the decoy DNS can round robin among these decoy servers. Security teams also have the option to use the decoys as part of their incident response strategy. You can feed attackers with false information leading them in the wrong direction.

When an attacker interacts with one of the decoys, the interactions can progress for quite a while. For example, when the attacker connects to an FTP server, he goes through the login process, then traverses the file system of the decoy, and writes or reads a file.

Forensic information collected in the Decoy Server

Deception technology can collect all the activities of the attacker with the decoy system. It can then present it in a graphical manner, allowing the security team to inspect all activities. At the same time, a PCAP file for these activities can be captured. If the deception solution is integrated with other systems that are inspecting traffic (e.g., Network Detection & Response), then the entire traffic of the infected asset can be captured in a PCAP file. Note that when Fidelis Deception is integrated with EDR, the decoy can inform the EDR about the activities taking place with the decoy. Then, the EDR can start tracing the process and the activities of the adversary communicating with the decoy.


To summarize, using deception as an intelligent sinkhole in the organization is easy to configure and yield a lot of information about the adversaries’ activities. You can gather intelligence and information about the goals of the attacker and learn how to detect and prevent the current and future attacks.

[1] SANS Institute: DNS Sinkhole Whitepaper

SC Media recognized our award-winning technology as a powerful tool to have in your security arsenal in their product review. Learn more about Fidelis Deception here!


Browse our blog