sinkhole_detection

Explanation

The sinkhole_detection NDM is designed to detect any Internal IP addresses reaching out to known sinkhole servers. When malicious botnet or other malware command and control infrastructure is shut down by legitimate information security teams, the malicious domains are often pointed to sinkholes, so that security researchers can monitor the extent of the infections.

What to Look For

If this NDM fires, it means an internal IP address is attempting to communicate with a sinkhole. This activity should be immediately investigated as it could indicate a malware infection or unauthorized traffic on the network. Organizations should look for signs of system compromise such as unusual network traffic, CPU spikes, or suspicious processes running on endpoints. It is also recommended that SOC teams investigate the source IP and destination IP of the traffic to determine the scope of the attack.