Threat actors never stand still and neither do we. Our Security, Intelligence, and Research team just boosted the number of sinkhole indicators in ThreatSTOP’s threat intelligence by over sixty-six percent. Both IP and domain targets for Sinkholes now enjoy deeper, broader coverage across every ThreatSTOP platform — DNS Defense Cloud, DNS Defense, and IP Defense. The result is clearer visibility into compromise, faster containment, and stronger protection for every device that relies on your network.
A sinkhole is an IP address or domain name that security researchers or law-enforcement agencies have created or sometimes requisitioned from criminals. Instead of resolving to a live command-and-control server, the traffic lands in a controlled environment where bad behavior is safely observed or null-routed.
When an endpoint on your network reaches out to a sinkhole, it is waving a red flag: “I was or still am infected.” Catching that traffic lets you:
Identify compromised hosts before data theft or ransomware detonation.
Map out lateral movement or botnet scale.
Confirm remediation actually worked when the queries disappear.
Early warning – Malware often phones home minutes after execution. An immediate block and alert keeps the threat from escalating.
Silent infections – Many commodity trojans, loaders, or adware kits talk to sinkholes long after an original takedown. They lurk quietly until they fetch a fresh payload.
Compliance and incident response – Demonstrating that you detect and act on beaconing traffic satisfies auditors and accelerates post-incident forensics.
|
Product |
What it does |
Sinkhole advantage |
|---|---|---|
|
Routes your resolvers to ThreatSTOP’s cloud DNS platform. |
Blocks outbound DNS lookups to sinkhole domains in real time, returning safe NXDOMAIN responses and logging the event for instant alerting. |
|
|
Runs ThreatSTOP intelligence on your own recursive servers. |
Keeps sensitive internal DNS traffic on-prem while applying the same sinkhole dataset, protecting even disconnected sites. |
|
|
Delivers authoritative block lists to routers, firewalls, web application firewalls, and more. |
Stops direct IP connections to sinkholes over any protocol, turning every enforcement point into a proactive shield. |
Behind the scenes, our Security, Intelligence, and Research team analyzes global telemetry, takedown notices, and law-enforcement feeds to curate sinkhole indicators alongside protections for command and control, invalid traffic, peer-to-peer abuse, data exfiltration, phishing, SPAM, DDoS activity, and more. Updates flow automatically to every customer, so today’s two-thirds expansion is already working on your behalf.
The two targets you'll want to verify in your policy are:
These are both included in the Command and Control Bundle, customers using the new Command and Control bundle don't have to do anything to receive this new detection. Our platform already took care of that for you,
For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers. Get started with a Demo today!
Connect with Customers, Disconnect from Risks
|
ATT&CK ID |
Tactic |
Technique |
Why it matters |
ThreatSTOP Protection |
|---|---|---|---|---|
|
T1071.004 |
Command and Control |
Exfiltration over DNS |
Malware uses DNS queries for beaconing or data transfer. |
DNS Defense Cloud and DNS Defense block sinkhole domains, log attempts, and alert operators. |
|
T1090.002 |
Command and Control |
External Proxy |
Bots proxy traffic through sinkhole IPs that once served C2. |
IP Defense distributes IP block lists to firewalls and routers, cutting the path. |
|
T1041 |
Exfiltration |
Exfiltration over C2 Channel |
Infected hosts attempt to send stolen data to former C2 addresses that are now sinkholes. |
All three products block the traffic, preventing data loss and generating high-fidelity alerts. |
|
T0858 |
Discovery |
Remote System Discovery |
Compromised systems look for peers via DNS queries that reveal lateral movement attempts. |
Protective DNS policies deny the lookups, exposing the reconnaissance for response teams. |
|
T1568.003 |
Command and Control |
Domain Generation Algorithms |
DGAs sometimes resolve to sinkholed domains after takedown. |
Continuous updates identify new sinkhole domains generated by DGAs, ensuring blocks stay current. |