In many cases, the most powerful tool for security personnel is to know oneself and one another . In order to protect the security of networks and information systems well, security personnel need to know what kind of person the opponent is, what type of attack is being carried out, what attack tools and techniques the opponent uses, and how effective a certain technique is. What impact will it have on the network? Usually this kind of information is disseminated through white papers, conferences, newsgroups and even orally. In some cases, the attack tool developers themselves will provide a lot of information to help people improve system security. This type of information can also be obtained through inspection and forensic analysis, often after major incidents have occurred that have caused damage to the information system. One of the most effective ways to collect this information is to get first-hand information --- watch them when the attacker method to detect network, find and explore network intrusion. In order to achieve this goal without exposing critical information systems, security researchers often use "honeypot" technology.
Honeypot ( Honeypot or Honeynet ) is sometimes called a digital sandbox. Essentially, a honeypot is an artificial environment that allows attackers to enter and observe them to avoid harm to the real system. A good honeypot looks like a real network, application server, user system, network traffic, etc., but usually one or several systems run specific software to simulate most target network users and network communication flows.
The honeypot actually consists of only a software system running in response to detection, scanning and attacks, but it makes the attacker feel like a complete network system. When an attacker connects to a honeypot, they are presented with a "virtual" network including servers, PCs, and various applications. In most cases, the honeypot looks like it is running a system or application with known vulnerabilities. This prepares the attacker with a tempting and irresistible target.
Every time an attacker is tempted to detect and attack a virtual network, the honeypot records all activities for later analysis: what the attacker does, what systems and applications they pay attention to, what tools they run, and how long they stay Time, wait. All this information will be collected and analyzed so that security personnel can better understand the threats facing the system and take protective measures. There are many honeypot systems in use, ranging from wireless networks to denial of service attacks. Most of the systems are operated and maintained by research institutions, governments, and law enforcement agencies. However, no commercial organization currently runs the honeypot system, because it takes a lot of time and energy to manage and maintain, and the cost of classifying and analyzing the traffic information collected by the honeypot is higher. Except for companies that develop security tools, most companies only focus on defending against attackers. Some companies will not even realize the importance of monitoring attackers as long as the attackers can be blocked without affecting business operations. Sex.