Sinkholing is a network-layer defensive control that reroutes attack traffic to a controlled destination (the sinkhole) for capture and analysis instead of letting it reach the origin. It is the analytic counterpart to a black hole: where RTBH null-routes and silently discards everything to a targeted IP, a sinkhole accepts the traffic so operators can inspect sources, payloads, and botnet behavior while the origin stays protected.
Why it matters in DDoS testing
Sinkholing shapes both incident response and forensics: it preserves the attack for study rather than dropping it blind. During a test, the relevant questions are whether the sinkhole route propagates fast enough via BGP, whether it scales to absorb the volume, and whether legitimate traffic is misrouted into it. Provider scrubbing and routing-based mitigation differ in how they implement this, a distinction explored in the AWS Shield and Cloudflare comparison.