8.12. Honeypot technology¶

8.12.1. Introduction¶

Honeypot is a deception technology for attackers to monitor, detect, analyze and trace attack behavior. It has no business purpose. All traffic flowing into/out of honeypot indicates scanning or attack behavior, so it can be better Focus on attack traffic.

Honeypots can actively trap attackers, record many traces in the attacker’s attack process in detail, and collect a large amount of valuable data, such as the source code of viruses or worms, hacker operations, etc., so as to provide rich information. Traceability data. In addition, the honeypot can also consume the attacker’s time and obtain the attacker’s portrait based on JSONP and other methods.

However, honeypots have security risks. If they are not properly isolated, they may become new attack sources.

8.12.2. Classification¶

According to the classification of use, honeypots can be divided into research honeypots and production honeypots. Research honeypots are generally used to study various network threats and find ways to deal with them without increasing the security of a specific organization. Product honeypots are mainly commercial products for protection.

According to the interaction method, honeypots can be divided into low-interaction honeypots and high-interaction honeypots. Low-interaction honeypots simulate network service responses and attacker interactions, and are easy to deploy and control attacks, but their simulation capabilities are relatively weak, and their ability to capture attacks is not strong. High-interaction honeypots do not simply simulate protocols or services, but provide real systems that greatly reduce the probability of being discovered. However, when the high-interaction honeypot is not deployed properly, there is the possibility of being exploited by attackers.

8.12.3. Hidden techniques¶

Honeypot mainly involves camouflage technology, mainly involving process hiding, service camouflage and other technologies.

The concealment between honeypots requires that honeypots be concealed from each other. Process hiding. Honeypots need to hide processes such as monitoring and information collection. Pseudo-service and command technology requires disguising some services to prevent attackers from obtaining sensitive information or invading the control kernel. Data file masquerading requires the generation of reasonably fake data files.

8.12.4. Identification techniques¶

Attackers will also try to identify the honeypot. It is easier to identify low-interaction honeypots. Try some more complex and rare operations to identify low-interaction honeypots more easily. It is relatively difficult to identify high-interaction honeypots, because high-interaction honeypots are usually built on the basis of real systems, which are relatively close to real systems. In this case, it is usually identified based on the information of the virtual file system and registry, memory allocation characteristics, hardware characteristics, special instructions, etc.

8.12.4.1. Protocol Implementation Identification¶

During the implementation of some honeypots, some parameters of the protocol have a fixed or limited range of randomness, and honeypots can be identified by the range of specific parameters.

The version range supported by some honeypot protocols is a specific version range, and whether it is a honeypot can be inferred from the corresponding version range.

Some honeypots have interactions to detect client characteristics in the interaction process, and honeypots can be identified through these interaction processes.

Some honeypots also return normal responses to incorrect requests, which can be used to determine honeypots.

8.12.4.2. Environmental characteristics¶

Some honeypots have fixed user names and passwords, or dynamic characteristics such as memory usage and process occupancy change relatively regularly. This method can be used to determine whether a honeypot is a honeypot.