LESSON 7 ATTACK ANALYSIS part V

7.3 Honeypots and Honeynets
People who like to watch monkeys go to the zoo, because there might be monkeys there.
People who like to watch birds put out bird feeders, and the birds come to them. People who
like to watch fish build aquariums, and bring the fish to themselves. But what do you do if you
want to watch hackers?
You put out a honeypot.
Think about it this way – you're a bear. You may not know much (being a bear) but you do
know that honey is tasty, and there is nothing better on a warm summer day than a big
handful of honey. So you see a big pot full of honey sitting out in the center of a clearing, and
you're thinking, 'Yum!” But once you stick your paw in the honey pot, you risk getting stuck. If
nothing else, you're going to leave big, sticky paw prints everywhere, and everyone is going
to know that someone has been in the honey, and there's a good chance that anyone who
follows the big, sticky paw prints is going to discover that it's you. More than one bear has
been trapped because of his affection for tasty honey.
A honeypot is a computer system, network, or virtual machine that serves no other purpose
than to lure in hackers. In a honeypot, there are no authorized users – no real data is stored in
the system, no real work is performed on it – so, every access, every attempt to use it, can be
identified as unauthorized. Instead of sifting through logs to identify intrusions, the system
administrator knows that every access is an intrusion, so a large part of the work is already
done.

7.3 诱捕系统

人们喜欢看猴子的去动物园，因为动物园可能有猴子，喜欢看鸟的人去找养鸟的人。想看鱼的人会买个鱼缸，然后自己养鱼。如果你想看黑客，你要怎么办呢？

使用诱捕系统

这么想吧---你是一头熊。你可能知道的事情不多（作为一头熊来说）但是你一定认为蜂蜜很甜，在温暖的夏天没有什么比一大把的蜂蜜更好的了。你在一个空地上发现了一满罐的蜂蜜，你会想“太好了”，但一旦你将你的爪子伸向蜂蜜罐的时候，你可能会被抓住。没别的，你会到处留下脚印，任何人都能通过这些脚印发现你。不止一头熊因为贪图蜂蜜而被抓。

诱捕系统是一个引诱黑客的网络系统。在诱捕系统中，没有合法的用户---没有真实的数据储存在这个系统里面，它上面没有运行真实的程序--所以，任何想入侵它的行为都会被认为是不合法的，不用通过日志来识别入侵，该系统的管理员知道每个登陆都是入侵，大部分的工作就已经做完了。

 

7.3.1 Types of Honeypots
There are two types of honeypots: production and research.
Production honeypots are used primarily as warning systems. A production honeypot identifies
an intrusion and generates an alarm. They can show you that an intruder has identified the
system or network as an object of interest, but not much else. For example, if you wanted to
know if bears lived near your clearing, you might set out ten tiny pots of honey. If you
checked them in the morning and found one or more of them empty, then you would know
that bears had been in the vicinity, but you wouldn't know anything else about the bears.
Research honeypots are used to collect information about hacker's activities. A research
honeypot lures in hackers, then keeps them occupied while it quietly records their actions. For
example, if – instead of simply documenting their presence – you wanted to study the bears,
then you might set out one big, tasty, sticky pot of honey in the middle of your clearing, but
then you would surround that pot with movie cameras, still cameras, tape recorders and
research assistants with clipboards and pith helmets.
The two types of honeypots differ primarily in their complexity. You can more easily set up and
maintain a production honeypot because of its simplicity and the limited amount of
information that you hope to collect. In a production honeypot, you just want to know that
you've been hit; you don't care so much whether the hackers stay around, However, in a
research honeypot, you want the hackers to stay, so that you can see what they are doing.
This makes setting up and maintaining a research honeypot more difficult, because you must
make the system look like a real, working system that offers files or services that the hackers
find interesting. A bear who knows what a honeypot looks like, might spend a minute looking
at an empty pot, but only a full pot full of tasty honey is going to keep the bear hanging
around long enough for you to study it.

7.3.1 诱捕系统的种类

有两种诱捕系统：生产类和研究类。

生产型诱捕系统主要是作为警告系统。一个生产型诱捕系统识别入侵并发出警告。它警告你有入侵者将这个系统或者网络作为了攻击目标，

但不会提供更多的信息。例如，如果你想知道是否有一头熊就在你的附近，你会拿出10个小罐蜂蜜。如果你隔天早上检查这些蜂蜜，发现几个蜂蜜罐已经空了，你就知道有熊在你的附近，但是你不知道其它关于这些熊的信息。

研究型诱捕系统是用来收集黑客活动信息的。一个研究型诱捕系统引诱黑客，然后悄悄的记录这些黑客的行为。例如，除了记录他们的存在之外，你想研究这些熊，于是你要拿出一个大的好吃的蜂蜜罐，放到空地中间，然后你会在这个蜂蜜罐的旁边放一个摄像头、录音器等等，用剪贴板或者遮阳帽来盖住这些东西。

这两种诱捕系统主要是复杂性不同。生产型诱捕系统可以很容易的安装和维护，因为它比较简单，并且会限制你能收集的信息。生产型诱捕系统只能告诉你你被攻击了，你不会知道黑客是不是就在附近，但是一个研究型诱捕系统，你希望黑客继续，所以你能看到他们所作的事情。这是的安装和维护一个研究型诱捕系统变得困难，因为你必须让你的系统看起来像个真的系统，并且提供文件下载和服务，使黑客感兴趣。如果一头熊知道蜂蜜罐是什么样子的，它只会花一点时间查看一个空的蜂蜜罐，但如果这个蜂蜜罐是满满的一罐蜂蜜，那么这头熊就会呆在这罐蜂蜜旁边更长时间，这样你才有足够的时间来研究它。