7.3 Honeypots and Honeynets
People who like to watch monkeys go to the zoo, because there might be monkeys there.
People who like to watch birds put out bird feeders, and the birds come to them. People who
like to watch fish build aquariums, and bring the fish to themselves. But what do you do if you
want to watch hackers?
You put out a honeypot.
Think about it this way – you're a bear. You may not know much (being a bear) but you do
know that honey is tasty, and there is nothing better on a warm summer day than a big
handful of honey. So you see a big pot full of honey sitting out in the center of a clearing, and
you're thinking, 'Yum!” But once you stick your paw in the honey pot, you risk getting stuck. If
nothing else, you're going to leave big, sticky paw prints everywhere, and everyone is going
to know that someone has been in the honey, and there's a good chance that anyone who
follows the big, sticky paw prints is going to discover that it's you. More than one bear has
been trapped because of his affection for tasty honey.
A honeypot is a computer system, network, or virtual machine that serves no other purpose
than to lure in hackers. In a honeypot, there are no authorized users – no real data is stored in
the system, no real work is performed on it – so, every access, every attempt to use it, can be
identified as unauthorized. Instead of sifting through logs to identify intrusions, the system
administrator knows that every access is an intrusion, so a large part of the work is already
done.
7.3 誘捕系統
人們喜歡看猴子的去動物園,因爲動物園可能有猴子,喜歡看鳥的人去找養鳥的人。想看魚的人會買個魚缸,然後自己養魚。如果你想看黑客,你要怎麼辦呢?
使用誘捕系統
這麼想吧---你是一頭熊。你可能知道的事情不多(作爲一頭熊來說)但是你一定認爲蜂蜜很甜,在溫暖的夏天沒有什麼比一大把的蜂蜜更好的了。你在一個空地上發現了一滿罐的蜂蜜,你會想“太好了”,但一旦你將你的爪子伸向蜂蜜罐的時候,你可能會被抓住。沒別的,你會到處留下腳印,任何人都能通過這些腳印發現你。不止一頭熊因爲貪圖蜂蜜而被抓。
誘捕系統是一個引誘黑客的網絡系統。在誘捕系統中,沒有合法的用戶---沒有真實的數據儲存在這個系統裏面,它上面沒有運行真實的程序--所以,任何想入侵它的行爲都會被認爲是不合法的,不用通過日誌來識別入侵,該系統的管理員知道每個登陸都是入侵,大部分的工作就已經做完了。
7.3.1 Types of Honeypots
There are two types of honeypots: production and research.
Production honeypots are used primarily as warning systems. A production honeypot identifies
an intrusion and generates an alarm. They can show you that an intruder has identified the
system or network as an object of interest, but not much else. For example, if you wanted to
know if bears lived near your clearing, you might set out ten tiny pots of honey. If you
checked them in the morning and found one or more of them empty, then you would know
that bears had been in the vicinity, but you wouldn't know anything else about the bears.
Research honeypots are used to collect information about hacker's activities. A research
honeypot lures in hackers, then keeps them occupied while it quietly records their actions. For
example, if – instead of simply documenting their presence – you wanted to study the bears,
then you might set out one big, tasty, sticky pot of honey in the middle of your clearing, but
then you would surround that pot with movie cameras, still cameras, tape recorders and
research assistants with clipboards and pith helmets.
The two types of honeypots differ primarily in their complexity. You can more easily set up and
maintain a production honeypot because of its simplicity and the limited amount of
information that you hope to collect. In a production honeypot, you just want to know that
you've been hit; you don't care so much whether the hackers stay around, However, in a
research honeypot, you want the hackers to stay, so that you can see what they are doing.
This makes setting up and maintaining a research honeypot more difficult, because you must
make the system look like a real, working system that offers files or services that the hackers
find interesting. A bear who knows what a honeypot looks like, might spend a minute looking
at an empty pot, but only a full pot full of tasty honey is going to keep the bear hanging
around long enough for you to study it.
7.3.1 誘捕系統的種類
有兩種誘捕系統:生產類和研究類。
生產型誘捕系統主要是作爲警告系統。一個生產型誘捕系統識別入侵併發出警告。它警告你有入侵者將這個系統或者網絡作爲了攻擊目標,
但不會提供更多的信息。例如,如果你想知道是否有一頭熊就在你的附近,你會拿出10個小罐蜂蜜。如果你隔天早上檢查這些蜂蜜,發現幾個蜂蜜罐已經空了,你就知道有熊在你的附近,但是你不知道其它關於這些熊的信息。
研究型誘捕系統是用來收集黑客活動信息的。一個研究型誘捕系統引誘黑客,然後悄悄的記錄這些黑客的行爲。例如,除了記錄他們的存在之外,你想研究這些熊,於是你要拿出一個大的好喫的蜂蜜罐,放到空地中間,然後你會在這個蜂蜜罐的旁邊放一個攝像頭、錄音器等等,用剪貼板或者遮陽帽來蓋住這些東西。
這兩種誘捕系統主要是複雜性不同。生產型誘捕系統可以很容易的安裝和維護,因爲它比較簡單,並且會限制你能收集的信息。生產型誘捕系統只能告訴你你被攻擊了,你不會知道黑客是不是就在附近,但是一個研究型誘捕系統,你希望黑客繼續,所以你能看到他們所作的事情。這是的安裝和維護一個研究型誘捕系統變得困難,因爲你必須讓你的系統看起來像個真的系統,並且提供文件下載和服務,使黑客感興趣。如果一頭熊知道蜂蜜罐是什麼樣子的,它只會花一點時間查看一個空的蜂蜜罐,但如果這個蜂蜜罐是滿滿的一罐蜂蜜,那麼這頭熊就會呆在這罐蜂蜜旁邊更長時間,這樣你纔有足夠的時間來研究它。