CISSP · Question #604
Why would a security architect specify that a default route pointing to a sinkhole be injected into internal networks?
The correct answer is B. To detect the traffic destined to non-existent network destinations. A sinkhole route (also called a null route or blackhole route) is a default route injected into a network that directs traffic destined for unknown or non-existent destinations to a sinkhole server for analysis and detection.
Question
Why would a security architect specify that a default route pointing to a sinkhole be injected into internal networks?
Options
- ATo have firewalls route all network traffic
- BTo detect the traffic destined to non-existent network destinations
- CTo exercise authority over the network department
- DTo re-inject the route into external networks
How the community answered
(16 responses)- A6% (1)
- B75% (12)
- C6% (1)
- D13% (2)
Why each option
A sinkhole route (also called a null route or blackhole route) is a default route injected into a network that directs traffic destined for unknown or non-existent destinations to a sinkhole server for analysis and detection.
A sinkhole route is not a firewall routing mechanism; it is specifically a security monitoring technique that redirects unroutable traffic to a controlled destination for analysis, not to firewalls for policy enforcement.
A sinkhole default route captures traffic that would otherwise be dropped or go undetected by redirecting it to a monitored destination. This technique is used by security architects to detect malware C2 communications, misconfigurations, or traffic attempting to reach non-existent IP space, as infected hosts often generate traffic to destinations not present in legitimate routing tables. The sinkhole logs and analyzes this traffic, providing visibility into potentially malicious activity within the internal network.
Injecting routes for organizational authority has no technical basis in network security architecture; route injection decisions are driven by security and operational requirements, not departmental control.
Sinkhole routes are an internal security monitoring construct and are not intended to be redistributed or re-injected into external routing tables, which would cause significant routing instability and security risks.
Concept tested: DNS/IP sinkholing for malicious traffic detection
Source: https://www.cisco.com/c/en/us/about/security-center/intelligent-cybersecurity.html
Topics
Community Discussion
No community discussion yet for this question.