What is "honeypot technology"?

Implementation of honeypot technology

Honeypot is like an intelligence collection system. Honeypots appear to be intentionally targeted, luring hackers to attack. So after an attacker invades, you can know how he succeeded and stay informed about the latest attacks and vulnerabilities launched against your company's servers. You can also eavesdrop on the connections between hackers, collect the tools used by hackers, and master their social networks.

Setting up a honeypot is not difficult, as long as there is a computer running unpatched Microsoft Windows or Red Hat Linux on the external Internet. Because hackers can set traps to gain access to your computer's logging and auditing capabilities, you'll want to place a network monitoring system between your computer and your Internet connection to quietly log all traffic to and from your computer. Then just sit back and wait for the attacker to throw himself into the trap.

However, setting up a honeypot is not without risks. This is because most compromised systems are used by hackers to attack other systems. This is downstream liability, which leads to the topic of honeynet.

A honeynet refers to a honeypot that uses additional technology to record the actions of hackers in a reasonable manner while minimizing or eliminating the risk to other systems on the Internet. A honeypot built behind a reverse firewall is one example. The purpose of a firewall is not to prevent inbound connections, but to prevent the honeypot from establishing outbound connections. However, although this method prevents the honeypot from damaging other systems, it is also easily discovered by hackers.

Data collection is another technical challenge in setting up a honeypot. As long as the honeypot monitor records every data packet entering and exiting the system, he will be able to clearly understand what the hacker is doing. Log files on the honeypot itself are also a good source of data. However, log files can easily be deleted by attackers, so the usual approach is to have the honeypot send log backups to a remote system log server on the same network but with a better defense mechanism. (Be sure to also monitor the log server. If an attacker breaks into the server using new methods, the honeypot will undoubtedly prove its worth.)

In recent years, due to the increasing use of encryption by black hat groups , the difficulty of data collection tasks is greatly enhanced. Now, they are taking the advice of many computer security professionals and instead using cryptographic protocols such as SSH to ensure that network surveillance is powerless against their communications. The honeynet's password calculation is to modify the operating system of the target computer so that all typed characters, transferred files and other information are recorded in the log of another monitoring system. Because attackers may discover such logs, the honeynet project uses a stealth technique. For example, hiding typed characters in NetBIOS broadcast packets.

Advantages of Honeypot Technology

One of the advantages of honeypot systems is that they greatly reduce the amount of data to be analyzed. For a typical website or mail server, attack traffic is often overwhelmed by legitimate traffic. Most of the data entering and exiting the honeypot is attack traffic. Therefore, it is much easier to browse the data and find out what the attacker actually did.

Since its inception in 1999, the Honeynet Project has collected a wealth of information, which you can find at www.honeynet.org. Some of the findings include: attack rates have doubled in the past year; attackers are increasingly using automated point-and-click tools that plug vulnerabilities (and are easily updated if new vulnerabilities are discovered); and that despite the bluff, there is little Some hackers are using new attack methods.

Honeypots are primarily a research tool, but they also have real commercial applications. By setting up a honeypot on an IP address adjacent to your company's Web or mail server, you can understand the attacks it's being exposed to.

Of course, honeypots and honeynets are not "fire and forget" security devices. According to Project Honeynet, it typically takes 30 to 40 hours of analysis to truly understand the damage an attacker caused in just 30 minutes. The system also requires careful maintenance and testing. With a honeypot, you have to constantly battle with hackers. It can be said that: you choose the battlefield, and your opponent chooses the time of competition. Therefore, you must always be alert.

One of the most exciting developments in the honeypot field is the emergence of virtual honeynets. A virtual computer network runs on a single machine using a virtual computer system such as VMware or User-Mode Linux. Virtual systems allow you to run several virtual computers (usually 4 to 10) on a single host system. Virtual honeynets significantly reduce the cost, machine footprint, and difficulty of managing honeypots. In addition, virtual systems often support "suspend" and "resume" functions, so you can freeze a compromised computer, analyze attack methods, and then open TCP/IP connections and other services on the system.

For the chief security officer (CSO) of a large organization, one of the most compelling reasons to run a honeynet is to detect people with malicious intentions within it.

Legal Issues of Honeypot Technology

Unexpectedly, monitoring honeypots also has corresponding legal consequences, for example, it may violate the Anti-Eavesdropping Law. While there is currently no case law, those familiar with the law mostly believe that consensual slogans are the way to go. In other words, give each honeypot a slogan like this: "Anyone using the system agrees that their behavior will be monitored and disclosed to others, including law enforcement officials."

Honeypot Technology Analysis

1. From film stunts to honeypot technology

The huge Greek fleet in "Troy", the "liquid metal" that can change its shape at will in "Terminator 2", "Jurassic" The dinosaurs running around in "The Matrix", the "bullet time" in "The Matrix"... With the continuous development of computer technology, more and more computer stunts are being used in the film field, and virtual reality that does not require wages Actors work tirelessly day and night. These computer technologies allow directors to conceive plot environments that are impossible to exist in reality, and also reduce film expenses. However, in the field of computer information security, network administrators have to face real-life invasion and destruction by hackers. Is it possible that today, with the extensive application of computer technology, the security field does not get any assistance? The answer is yes, it does It is the "virtual actor" that replaces the network administrator in the security field - honeypot technology.

Honeypot, or Honeypot, is not mysterious compared to the special effects used in movies - the so-called honeypot is a computer that does not take any security precautions and is connected to the network, but it is different from ordinary A computer is different. It runs a variety of data recording programs and special-purpose "self-exposure programs" inside it. To seduce the greedy black bear, honey is naturally indispensable. From the intruder's point of view, intruding into a honeypot can cause a huge ups and downs in their mood - from the beginning of secretly scolding the administrator for being a fool to finally realizing that they have been treated like a monkey by the fool.

2. Why use honeypots

In "Terminator 2", Arnold asked John to put himself into the furnace, in "Troy", Achilles was shot by the prince, in war movies machine gun fire, and even the nuclear bombs launched by aliens in "Men in Black" destroyed the North Pole! If all this is true, our stars have become pictures on the wall. How many people will die to make a movie? Besides, we There is only one Earth, is it worth blowing up a certain area for a movie? So people have to use computer stunts to complete these plots that cannot really happen. Similarly, administrators will not allow intruders to enter the server and cause damage in order to record the intrusion, so honeypots appeared.

As mentioned before, a honeypot is a computer with multiple vulnerabilities, and the administrator knows how many vulnerabilities it has. This is like a sniper using it to test the strength of the enemy sniper. The helmet held up by the gun records the intruder's every move after the honeypot is invaded, so that the administrator can better analyze which holes the intruders like to crawl into, so that they can strengthen defense in the future.

On the other hand, it is because of the limitations and fragility of the firewall, because the firewall must be based on a rule system based on known dangers for defense. If the intruder launches a new form of attack, the firewall has no corresponding If the rules are not processed, the firewall will be useless, and the system protected by the firewall will also be destroyed. Therefore, technicians need honeypots to record the intruder's actions and intrusion data, and add new rules or manual defense to the firewall when necessary.

3. In-depth honeypots

Since using honeypots can have so many benefits, then if everyone builds a honeypot at home, wouldn’t it be able to protect against hackers to the greatest extent? With this Readers with ideas, please stop here! Although honeypots can help administrators solve analysis problems to a certain extent, they are not firewalls. On the contrary, they are a dangerous intrusion recording system. It is not uncommon for honeypots to be used by cunning intruders to attack others. As long as the administrator makes a mistake in a certain setting, the honeypot becomes a weakling. The computer skills of ordinary home users are unlikely to reach professional levels, and asking them to make honeypots will only set them on fire - honeypots may seem simple, but are actually very complex. Although the honeypot must be prepared to sacrifice at any time, if it fails to record the intrusion data in the end, then this honeypot is simply a broiler waiting to be slaughtered. This is the complexity of the honeypot. It needs its own Providing loopholes that make intruders happy to stay, and ensuring that background recording can run normally and covertly, all require professional skills. If honeypots can be made casually, we can also film "The Matrix" at home - deliberately open A server that has vulnerabilities but does not have a complete recording and processing environment cannot be called a honeypot, it can only be a broiler.

So, we must understand a honeypot, what exactly does it look like?

1. The definition of a honeypot

First of all, we must understand a honeypot The difference between a honeypot and a computer without any precautions. Although both of them may be invaded and destroyed, their essence is completely different. A honeypot is a "black box" set up by a network administrator after careful arrangement. It looks like a loophole. It is full of dangers but under control, and the intrusion data it collects is very valuable; and the latter is simply a gift to the intruder. Even if it is invaded, traces may not be found... Therefore, the definition of a honeypot is: "honeypot" A jar is a secure resource, and its value lies in being detected, attacked and compromised. ”

The original intention of designing a honeypot is to allow hackers to invade and collect evidence while hiding the real server address, so we require it. A qualified honeypot has these functions: detect attacks, generate warnings, have powerful logging capabilities, deceive, and assist in investigations. Another function is performed by the administrator, which is to prosecute intruders based on the evidence collected by the honeypot when necessary.

2. Legal issues involved

Honeypots are used for hackers to invade, and they must provide certain vulnerabilities, but we also know that many vulnerabilities belong to the "high risk" level , a little carelessness will lead to the system being penetrated. Once the honeypot is destroyed, the intruder will do things that the administrator cannot predict. For example, an intruder successfully enters a honeypot and uses it as a "springboard". "(referring to the intruder remotely controlling one or more compromised computers to invade other computers) to attack others, then who is responsible for this loss? Setting up a honeypot must face three problems: trapping Technology, privacy, responsibility.

Trapping technology is related to the skills of the administrator who sets up this honeypot. A honeypot that is not well set up or concealed enough will be easily seen through or destroyed by intruders, and the consequences will be Very serious.

Since honeypots are recording devices, they may involve privacy issues. If an enterprise administrator maliciously designs a honeypot to collect activity data of company employees, or secretly intercepts records Company network communication information, such a honeypot has already involved legal issues.

For an administrator, the most unfortunate thing that can happen is that the honeypot is successfully destroyed by an intruder. Some people may think that since the honeypot was deliberately designed to be "sacrificial", it is reasonable for it to be destroyed, and there is no need to make a fuss about it. Yes, a honeypot is indeed used for "abuse", but it is also a computer connected to the network. If a honeypot you make is breached by an intruder and "borrowed" to attack a university server, then I am afraid that the losses caused can only be borne by you. There are also some responsibilities that no one can explain. For example, if a honeypot you built unfortunately attracted famous "reptile" viruses such as Slammer, Sasser, and Blaster and became one of the sources of transmission, then who is responsible for this? To afford?

3. Types of honeypots

There will be no very comprehensive things in the world, and the same is true for honeypots.

According to the needs of the administrator, the system and vulnerability setting requirements of honeypots are also different. Honeypots are targeted, rather than blindly set up to be boring. Therefore, a variety of honeypots have been produced...

3.1. Real system honeypot

A real system honeypot is the most real honeypot. It runs a real system and has real intrusive vulnerabilities, which are among the most dangerous vulnerabilities. , but the intrusion information it records is often the most authentic. The system installed in this kind of honeypot is usually the original system without any SP patch, or with a lower version of SP patch. Depending on the needs of the administrator, some loopholes may be patched, as long as the loopholes worth studying still exist. Then connect the honeypot to the network. According to the current frequency of network scanning, such a honeypot can quickly attract targets and accept attacks. The recording program running in the system will record every move of the intruder, but at the same time It is also the most dangerous, because every intrusion by an intruder will cause real reactions in the system, such as being overflowed, penetrated, seizing permissions, etc.

3.2. Pseudo system honeypot

What is a pseudo system? Don’t misunderstand it as a “fake system”. It is also based on the real system, but its biggest feature It’s “platform and vulnerability asymmetry.”

Everyone should know that Windows is not the only operating system in the world. In this field, there are also Linux, Unix, OS2, BeOS, etc. Their cores are different, so the vulnerabilities and defects they will generate are also They are not the same. To put it simply, there are few vulnerable codes that can attack several systems at the same time. Maybe you can use the LSASS overflow vulnerability to gain access to Windows, but using the same method to overflow Linux will only be in vain. Based on this characteristic, a "pseudo-system honeypot" is created, which uses the powerful imitation capabilities of some tool programs to forge "vulnerabilities" that do not belong to its own platform. Invasion of such "vulnerabilities" can only be done in a program framework. Even if it is successfully "penetrated", it is still a dream created by the program - the system does not have the conditions for this kind of vulnerability to be established, so how to "penetrate"? It is not difficult to implement a "pseudo system", under the Windows platform Some virtual machine programs, Linux's own script functions and third-party tools can easily implement this. Even under Linux/Unix, administrators can create some non-existent "vulnerabilities" in real time, allowing intruders to think they have succeeded. Busy inside. It is also very easy to implement tracking and recording, as long as the corresponding recording program is opened in the background.

The advantage of this kind of honeypot is that it can prevent damage by intruders to the greatest extent, and can also simulate non-existent vulnerabilities, and even allow some Windows worms to attack Linux - as long as you simulate qualified Windows feature! But it also has disadvantages, because a smart intruder will see through the disguise after only a few rounds. Also, writing scripts is not very simple, unless the administrator is very patient or very laid-back.

4. Use your honeypot

Since honeypots are not just made for fun, the administrator will naturally not make a honeypot and leave it idle at home, then How to use a honeypot?

4.1. Confuse intruders and protect the server

In the general client/server model, the browser is directly connected to the website server. In other words, the entire website server is exposed to intruders. If the server security measures are not enough, the entire website data may be easily destroyed by intruders. But if you embed a honeypot in the client/server model, let the honeypot act as a server, and the real website server acts as an internal network and perform network port mapping on the honeypot, this can improve the security factor of the website. Even if the intruder penetrates He couldn't get any valuable information from the external "server" because he was just invading a honeypot. Although intruders can jump into the internal network based on honeypots, it is much more complicated than directly attacking an external server, and many intruders with insufficient skills can only stay away. The honeypot may be destroyed, but don't forget that the honeypot is the damaged character.

For this purpose, honeypots can no longer be designed to be full of loopholes. Since the honeypot has become the protective layer of the internal server, it must be strong enough, otherwise, the entire website will be given away.

4.2. Resist intruders and harden servers

Intrusion and prevention have always been hot issues, and inserting a honeypot link will make prevention interesting. This honeypot The jar was set up to behave like an internal network server, and by the time an intruder took the trouble to break into the honeypot, the administrator had collected enough attack data to harden the real server.

Using this strategy to deploy honeypots requires the administrator to cooperate with monitoring. Otherwise, if the intruder breaks the first one, the second one will be attacked...

4.3. Trapping cybercriminals

This is a quite interesting application. When an administrator discovers that an ordinary client/server model website server has been sacrificed to a broiler, the administrator will quickly repair the server if technical capabilities permit. So what about next time? Since the intruder has convinced himself that he has turned the server into a chicken, he will definitely come back to check the results next time. Should we just let him run wild? Some enterprise administrators will not give up. They will set up a The honeypot simulated being invaded and became Jiang Taigong. Similarly, in order to find malicious intruders, some companies will deliberately set up some honeypots with unobvious vulnerabilities, so that all evidence of the intruder's actions can be recorded without being suspicious. Some people call this a "prison machine". "By cooperating with the telecommunications bureau, we can easily find out the black hands at the source of the IP.

IV. Conclusion

With the diversified development of network intrusion types, honeypots must also perform diversified interpretations, otherwise they will one day be unable to face the ravages of intruders. This also places higher demands on the technical capabilities of network administrators, because the honeypot, a virtual actor active in the security field, has its every move designed by you. We cannot make the honeypot look like T-X It's so unpredictable, but at least it will prevent the Arnold we designed from having his neck trampled by the T-X again and injecting rebellious instructions.