Already published on CHIP
Computer stunt and virtual actor
-- Computer honeypot Technology
Author: Xiaojin
I. From film stunt to honeypot Technology
The huge Greek fleet in the Trojan, the "Liquid Metal" in the form of random changes in Terminator 2, the dinosaurs in the Jurassic Park, and the "black guest Empire" bullet time "...... With the continuous development of computer technology, more and more computer stunt effects are applied in the film field. Virtual actors who do not need to pay for it work hard day and night, these computer technologies allow the Director to create an impossible plot environment in reality and reduce film expenses. However, in the information security field of computers, network administrators are faced with intrusion and destruction by hackers. Is there no assistance in the security field in today's large-scale application of computer technology? The answer is yes. In the security field, it replaces the network administrator's "Virtual Actor"-Honeypot technology.
The Honeypot, or Honeypot, is not mysterious compared to the stunt applied to movies. The so-called Honeypot is a computer that does not take any security measures and connects to the network, but is different from a general computer, it runs a variety of data record programs and "self-exposure programs" for special purposes-honey is naturally essential to seduce greedy black bears. From the perspective of intruders, intrusions into the honeypot can bring them into a big ups and downs-from the very beginning, they have a chance to scold the Administrator and finally understand the process of being played as a monkey. (Figure 1. Honeypot website)
Ii. Why use honeypot?
In Terminator 2, Arnold asked John to put himself into a melting furnace, Achilles in the trojan was shot by the Prince, and machine guns in the war films were shot, even the nuclear bombs fired by aliens in the black man destroyed the Arctic! If all this is true, our stars have become pictures on the wall. How many people will die when taking a film? Besides, we only have one earth. Is it worthwhile to blow up a region for a film? Therefore, people must use computer stunt effects to complete these impracticable plots. Similarly, the Administrator will not allow intruders to access the server to perform damage to record intrusion, so the honeypot will appear.
As mentioned above, a honeypot is a computer with multiple vulnerabilities, and administrators know how many vulnerabilities it has. This is like a helmet that a sniper uses a gun to test the strength of an enemy sniper, when a honeypot is intruded, the attacker's every action is recorded so that the administrator can better analyze which hole the majority of intruders prefer to drill and strengthen defense in the future.
On the other hand, it is because of the limitations and vulnerabilities of the firewall, because the firewall must be built on a known and dangerous rule system for defense. If intruders initiate new forms of attacks, the firewall does not have corresponding rules to handle them, this firewall is essentially a virtual one, and the firewall protection system will also be damaged. Therefore, technicians need a honeypot to record the actions and intrusion data of intruders, and add new rules or manual defense to the firewall if necessary.
Iii. Deep Dive into Honeypot
Since there are so many benefits to using a honeypot, can everyone create a honeypot in their own house to prevent hackers as much as possible? If you have this idea, please stop it! Although the honeypot can help administrators solve analysis problems to a certain extent, it is not a firewall. On the contrary, it is a dangerous intrusion record system. It is not uncommon for a honeypot to be exploited by a hacker to attack others. As long as the administrator fails to make a mistake in a specific setting, the honeypot becomes a meat steamed stuffed bun for a dog. In general, the computer level of home users cannot reach the professional level, so that their honeypot will lead the way-the honeypot seems simple, but actually complicated. Although the honeypot should be ready to sacrifice at any time, if it fails to record the intrusion data at the end, then the honeypot is simply a zombie waiting for slaughter, and the honeypot is complicated here, it must provide vulnerabilities that allow intruders to stay, and ensure that background records can run normally and implicitly. These require professional technologies, we can also take the hacker empire at home. servers that intentionally drive vulnerabilities but do not have a complete record processing environment cannot be called Honeypot. They can only be bots.
Therefore, we must understand what a honeypot is like?
1. Honeypot Definition
First, we need to figure out the difference between a honeypot and a computer without any preventive measures. Although both of them may be damaged by intrusion, they are completely different in nature, honeypot is a "black box" carefully arranged by network administrators. It seems to be full of loopholes, but it is very valuable to collect intrusion data. The latter is simply a gift to intruders, even if they are infiltrated, they do not necessarily find traces ...... Therefore, the definition of a honeypot is: "A honeypot is a security resource, and its value lies in being detected, attacked, and damaged ." (Figure 2. The honeypot model of John Daly)
The purpose of the honeypot design is to allow hackers to intrude into the system and collect evidence while hiding the real server address. Therefore, we require a qualified honeypot to have these features: discover attacks, generate warnings, Powerful recording capabilities, deception, and assist in investigations. Another function is done by the Administrator, that is, to sue intruders based on evidence collected by the honeypot when necessary.
2. Legal issues involved
A honeypot is used to intrude hackers. It must provide certain vulnerabilities, but we also know that many vulnerabilities are at a "high-risk" level. A slight carelessness will cause system penetration, once a honeypot is damaged, the intruders do something unexpected by the Administrator. For example, an intruder successfully enters a honeypot, and using it as a stepping stone (that is, intruders remotely control one or more computers that have been intruded into other computers) to attack others. Who is responsible for this loss? To set up a honeypot, you must face three problems: Trap technology, privacy, and responsibility.
The trap technique is related to the technique of setting the administrator of the honeypot. An incomplete or concealed honeypot can be easily identified or damaged by intruders, resulting in serious consequences.
Because the honeypot is a record device, it may involve privacy issues. If an enterprise administrator maliciously designs a honeypot to collect activity data of the company's employees, or secretly intercept and record the company's network communication information. Such a honeypot already involves legal issues.
For administrators, the most unfortunate thing is that the honeypot is successfully destroyed by intruders. Some people may think that, since the honeypot is intentionally designed to "sacrifice", it is reasonable to be destroyed. You don't need to worry about it. Yes, the honeypot is indeed used for "abuse", but it is also a computer connected to the network, if your honeypot is broken by intruders and "borrowed" to attack a college server, you may have to bear the losses. There are still some responsibilities that cannot be clearly explained. For example, a honeypot you have created has unfortunately attracted the famous "crawler virus" such as Slammer, Sasser, and blster, and has become one of the sources of communication, who will bear this responsibility?
3. Honeypot type
There will be no comprehensive things in the world, and the same is true for honeypot. According to the Administrator's needs, the system and vulnerability settings of the honeypot are also different. The honeypot is targeted, rather than blindly set to boring. Therefore, there are a variety of honeypot ......
3. 1. Real-System Honeypot
Real-System Honeypot is the most authentic Honeypot. It runs a real system and carries real and intrusive vulnerabilities, which are the most dangerous, however, the intrusion information recorded by it is often the most authentic. The systems installed in this honeypot are generally original, without any SP patches or earlier versions of the SP patch. Some vulnerabilities may be added according to the Administrator's needs, as long as the vulnerability is worth studying exists. Then, connect the honeypot to the network. According to the current network scan frequency, such a honeypot will soon attract the target and accept attacks, the record program running in the system will write down the every action of the intruders, but it is also the most dangerous, because every intrusion by the intruders will cause the real reaction of the system, such as being overflows, penetrated, and gain permissions.
3. 2. Pseudo-System Honeypot
What is a pseudo system? Do not misunderstand a "fake system". It is also based on a real system, but its biggest characteristic is "platform and vulnerability asymmetry ".
We should all know that the operating systems in the world are not only Windows. In this field, there are Linux, Unix, OS2, BeOS, and so on. Their core is different, therefore, vulnerabilities and defects may be different. Simply put, there are very few vulnerability codes that can attack several systems at the same time. Maybe you can use the LSASS overflow vulnerability to obtain Windows permissions, however, using the same method to overflow Linux is futile. Based on this feature, a "pseudo-System Honeypot" is generated. It uses powerful imitation capabilities of some tool programs to forge "vulnerabilities" that are not part of its own platform ", intrusion into such a "Vulnerability" can only be transferred in a program framework, even if it is successful "penetration ", it is still a dream of Program-making-the system has no conditions for such a vulnerability to be established. What is "penetration "? It is not difficult to implement a "pseudo system". Some Virtual Machine programs and Linux script functions under Windows can be easily implemented by adding third-party tools, even in Linux/Unix, the administrator can generate some "vulnerabilities" that do not exist at all in real time, so that the intruders can be confused. It is also easy to implement tracking records, as long as the corresponding record program is enabled in the background. (Figure 3. Real and pseudo systems)
The benefit of this honeypot is that it can prevent intrusions from damaging to the maximum extent, simulate nonexistent vulnerabilities, and even cause some Windows worms to attack Linux-as long as you simulate qualified Windows features! But it also has some disadvantages, because a smart intruder will be able to see the disguise after several rounds. The other is that it is not easy to write scripts unless the Administrator is patient or leisurely. (Figure 4. Honeypot script)
4. Use your Honeypot
Since the honeypot is not just easy to use, the Administrator naturally won't create a honeypot and leave it at home, how can the honeypot be used?
. Confuse intruders and protect servers
In general customer/Server mode, the viewer is directly connected to the website server. In other words, the whole website server is exposed to intruders. If the server security measures are insufficient, therefore, data on the entire website may be easily destroyed by intruders. However, if the honeypot is embedded in the customer/Server mode, the honeypot is used as the server role, and the real website server is used as an internal network to perform network port ing on the honeypot, in this way, the security factor of the website can be improved. Even if the intruders penetrate into the external "server", they will not get any valuable information, because they intrude into the honeypot. Although intruders can jump into the internal network on the basis of a honeypot, it is much more complicated than directly attacking an external server, and many low-level intruders can only be discouraged. The honeypot may be damaged, but do not forget that it is a damaged role.
In this use, the honeypot can no longer be designed. Since the honeypot has become the protection layer of internal servers, it must be solid enough. Otherwise, the entire website will be released.
. Defend against intruders and reinforce servers
Intrusion and prevention have always been a hot issue. inserting a honeypot during this period will make the prevention interesting. This honeypot is set to be the same as the internal network server, when an intruder intruded into the honeypot, the Administrator had collected enough attack data to reinforce the Real Server.
When this policy is used to deploy a honeypot, the administrator needs to cooperate with the monitor. Otherwise, the intruders break the first one, and the second is under attack ......
4. 3. Trap cyber criminals
This is an interesting application. If the Administrator finds that a common client/server-mode website server has been sacrificed as a zombie