Infrastructure Forensics: Auditing the 17M-Node 'Stark' Sinkhole

Just saw the update from the Dutch Politie regarding the takedown of that massive botnet. The numbers are wild—17 million infected devices and 200+ servers seized in the Netherlands. It looks like the 'Stark' infrastructure referenced in other threads was the backbone here.

While the headlines focus on the takedown, the real work for us is the cleanup. Since a huge chunk of those nodes were IoT devices (cameras, smart plugs), traditional AV often misses them. I've started auditing our edge traffic to see if we had any devices beaconing to the seized infrastructure before the sinkhole went active.

If you are hunting for residuals, look for high-frequency DNS queries to the specific NL-based subdomains that were sinkholed. Here’s a quick KQL query I’m running to flag potential connection attempts to the known C2 IP ranges:

DeviceNetworkEvents
| where RemoteIP has_any ("192.0.2.0", "203.0.113.0") // Placeholder for seized IP ranges
| summarize count() by DeviceName, RemoteIP, RemotePort
| where count_ > 100


On the IoT side, we are pushing a quick scan for active Telnet/SSH sessions on non-standard ports that might be lingering from the infection.

nmap -p 23,2222,8080 --open -T4 10.0.0.0/24

How is everyone else handling the remediation of consumer-grade IoT gear that can't be patched? Are you bricking them or just VLAN-isolating them?