Honeypot introduction and practical reference
Honeypot is a deception technology for attackers, which is used to monitor, detect, analyze and trace attack behavior. It has no business purpose. All traffic flowing into/out of honeypot indicates scanning or attack behavior, so it can be better Focus on attack traffic.
Honeypots can actively trap attackers, record many traces of attackers in detail, and collect a large amount of valuable data such as virus or worm source code, hacker operations, etc., so as to provide rich traceability data.
However, there are security risks in honeypots. If they are not properly isolated, they may become a new source of attack
Classified by purpose, honeypots can be divided into research-type honeypots and product-type honeypots. Research honeypots are generally used to study various types of network threats and find ways to deal with them without increasing the security of a specific organization. Product honeypots are mainly commercial products used for protection.
According to the interaction mode, honeypots can be divided into low-interaction honeypots and high-interaction honeypots. Low-interaction honeypots simulate network service responses and attacker interactions, and are easy to deploy and control attacks, but their simulation capabilities are relatively weak, and their ability to capture attacks is not strong. High Interaction Honeypot
Honeypots mainly involve camouflage technology, mainly involving process hiding, service camouflage and other technologies.
Concealment between honeypots requires mutual concealment between honeypots. Process hiding, the honeypot needs to hide monitoring, information collection and other processes. Pseudo-service and command technologies need to disguise some services to prevent attackers from obtaining sensitive information or intruding into the control kernel. Data file camouflage, files that need to generate reasonable false data
Attackers also try to identify honeypots. It is relatively easy to identify low-interaction honeypots, and it is easier to identify low-interaction honeypots by trying some more complex and rare operations. It is relatively difficult to identify high-interaction honeypots, because high-interaction honeypots are usually built on the basis of real systems, which are relatively similar to real systems. In this case, it is usually identified based on the information of the virtual file system and the registry, memory allocation characteristics, hardware characteristics, special instructions, and the like.