Network Deception Method and example of attack and defense

Shen is a very practical tactic, ancient and modern, many military strategists, politicians, entrepreneurs are talking about this tactic, in the network attack and defense is no exception, system administrators will use such tactics. Because each network system has a security vulnerability, if it is of high value, these vulnerabilities can be exploited by intruders. Usually, people will take the initiative to make up for these vulnerabilities or flaws, if the system administrator has a hand, it can make the intruder believe that the system has a security flaw, and lead it to these wrong resources, that is, "Shen." Of course, also need to "enemy" on the basis of "invincible". Administrators can also track the behavior of intruders and fix potential security vulnerabilities in the system before intruders. This can be figuratively likened to "lead keywords walk".

One, the network deceit method searches the secluded

Network administrators and intruders are always incompatible two factions in their work, and it's not easy to say what roles are outside of work. In the process of practice, we can use the reverse thinking to guess the intruder's attacking technique and intention, lead his "keywords", choose according to the will that we have designed for him, and gradually consume his resources. In this way, it will make the intruder feel that to achieve the desired goal is still a certain challenge. Generally speaking, the method of network deception can be considered from the following aspects.

1. Decoy: Honey Pot and distributed Honey Pot

The first network deception is Honey Pot technology, Honey Pot is like a decoy, it puts a small number of attractive targets (that is, Honey Pot) in the place where intruders can easily be found, so that they fall into the trap. There are many technical means used, usually including the placement of error messages and concealment. The former includes redirect routing, false information forgery, and setting traps, which include hidden services, multipath, and maintaining security state information confidentiality. This allows intruders to focus their skills and energies on honey pot rather than other truly valuable normal systems and resources, so the bait must be "tasty and tasty".

Although Honey pot technology can quickly switch, but for a slightly advanced network intrusion, Honey pot technology has little effect. As a result, distributed Honey Pot technology came into being, which spread deception (Honey Pot) into the network's normal system and resources, using unused service ports to act as deception, thus increasing the possibility of intruders encountering deception. Distributed honey Pot technology has two direct effects, first by distributing spoofing to a wider range of IP addresses and port spaces, and secondly by increasing the percentage of spoofing across the network, making spoofing more likely than security vulnerabilities to be discovered by intruder scanners.

The distributed honey Pot technology is not perfect, its limitation is embodied in three aspects: first, it is ineffective to exhaust the network scan of the whole space search; the other is to provide only a relatively low quality of deception; the third is to reduce the security weakness of the whole search space. Moreover, one of the more serious drawbacks of this technique is that it works only for remote scans. If the intrusion is already part of the network system and is in observation (such as sniffing) rather than the active scan phase, the real network service is transparent to the intruder, and the deception will be lost.

2, True and false "Likui": Space Deception Technology

A computer system with a multihomed capability (multi-homed capability), where a host with many IP addresses can be implemented on a computer with only one Ethernet card, in fact, there are now research institutions that can bind more than 4,000 IP addresses to a PC running Linux, And each IP address also has its own MAC address. This technique can be used to create a deception that fills a large segment of the address space and is extremely inexpensive. Deception space technology is to increase the amount of search space to significantly increase the workload of intruders, so as to achieve the purpose of security protection. So many different kinds of deception can be implemented on a single computer. When the intruder's scanner accesses the external router of the network system and detects the spoofed service, it can redirect all network traffic from the scanner to spoofing, making the next remote access a continuation of the deception.

From the perspective of protection, placing network services on all these IP addresses will undoubtedly increase the workload of intruders, as they need to decide which services are real and which services are forged, especially if such more than 40,000 IP addresses are placed on a system that forges network services. Moreover, in this case, the deception service is relatively easier to detect by the scanner, by luring intruders to be fooled, increase the time of intrusion, thereby greatly consuming the resources of the intruder, so that real network services to detect the possibility of a significant reduction.

Of course, the redirection of network traffic and services during this deception must be kept strictly confidential, as once exposed will incur an attack, which can make it easy for intruders to distinguish between any known-valid service and the deception used to test intruders ' scans and their responses.

3, User Information confusion: Organizational information spoofing and multiple address translation

In the face of the continuous improvement of network attack technology, a kind of network deception technology must not always succeed, it is necessary to constantly improve the quality of deception in order to make it difficult for intruders to distinguish between legitimate services and deception. Multiple address translation and organization information spoofing can effectively confuse opponents.

If your organization's DNS server contains detailed information about your personal system owner and its location, you will need to have a spoofed owner and its location in the spoofed DNS list, otherwise spoofing can be easily discovered. Moreover, forged people and locations also need to have forged information such as salary, budget and personal records, and so on. Therefore, if an organization provides access to personal and system information, then spoofing must reflect that information in some way.

In addition, in information obfuscation, multiple conversions of addresses can separate spoofed and real networks, thus making use of real computers to replace low confidence spoofing, increasing indirection and concealment. The basic concept is to redirect the Proxy service (implemented by overwriting the proxy server program), address translation by the Proxy service, so that the same source and destination addresses are maintained in a spoofed system, like the real system.

4, Network Information confusion: Network dynamic configuration and network traffic simulation

Real networks change over time, and if spoofing is static, it can cause spoofing to be ineffective in the event of an intruder's long-term monitoring. Therefore, it is necessary to dynamically configure spoofed networks to simulate normal network behavior, so that deceptive networks can change over time like real networks. In order to be effective, deceptive features should be able to reflect as much as possible the characteristics of the real system. For example, if the computer in the office shuts down after work, deceiving the computer should also be turned off at the same time. Others, such as vacations, weekends and special occasions, must also be considered, or intruders will likely find deception.

The purpose of generating simulation traffic is to make traffic analysis impossible to detect spoofing. There are two ways to generate simulation traffic in a spoofed system. One approach is to replicate real network traffic in real time or in a reproducible way, which makes the spoofing system very similar to the real system because all access connections are replicated, and another way is to generate spoofed traffic from the remote so that intruders can discover and exploit them.

In the process of deception and deception, the intellectual test on both sides of the demand is very high. If there is a problem in the judgment of one of the links, you may fall into the trap of others. Therefore, we must have a certain understanding of the related deception, so that we can make accurate judgments in practical operation. Below, we look at a "Shen" attack and defense practice.