# sinkhole\_detection

**Explanation**

The sinkhole\_detection NDM is designed to detect any Internal IP addresses reaching out to known sinkhole servers. When malicious botnet or other malware command and control infrastructure is shut down by legitimate information security teams, the malicious domains are often pointed to sinkholes, so that security researchers can monitor the extent of the infections.

**What to Look For**

If this NDM fires, it means an internal IP address is attempting to communicate with a sinkhole. This activity should be immediately investigated as it could indicate a malware infection or unauthorized traffic on the network. Organizations should look for signs of system compromise such as unusual network traffic, CPU spikes, or suspicious processes running on endpoints. It is also recommended that SOC teams investigate the source IP and destination IP of the traffic to determine the scope of the attack.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/detection-models/library/post-compromise/sinkhole_detection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.