LESSON 7 ATTACK ANALYSIS part VI

7.3.2 Building a Honeypot
In the most basic sense, a honeypot is nothing more than a computer system which is set up
with the expectation that it will be compromised by intruders. Essentially, this means that if you
connect a computer with a insecure operating system to the Internet, then let it sit there,
waiting to be compromised, you have created a honeypot!
But this isn't a very useful honeypot. It's more like leaving your honey out in the clearing, then
going home to the city. When you come back, the honey will be gone, but you won't know
anything about who, how, when or why. You don't learn anything from your honeypot, useless
you have some way of gathering information regarding it. To be useful, even the most basic
honeypot most have some type of intrusion detection system.
The intrusion detection system could be as simple as a firewall. Normally a firewall is used to
prevent unauthorized users from accessing a computer system, but they also log everything
that passes through or is stopped. Reviewing the logs produced by the firewall can provide
basic information about attempts to access the honeypot.
More complex honeypots might add hardware, such as switches, routers or hubs, to further
monitor or control network access. They may also use packet sniffers to gather additional
information about network traffic.
Research honeypots may also run programs that simulate normal use, making it appear that
the honeypot is actually being accessed by authorized users, and teasing potential intruders
with falsified emails, passwords and data. These types of programs can also be used to
disguise operating systems, making it appear, for example, that a Linux based computer is
running Windows.

 

7.3.2 构造诱捕系统

诱捕系统只不过是安装到电脑上，为了防止入侵者破坏电脑。简单点说，这意味着如果你将带有不安全的操作系统的电脑连接到网络上，那么就这样放着，等待被入侵，那么你的电脑就是一个诱捕系统。

但是这不是一个有用的诱捕系统。这更像将你的蜂蜜留到空地上，然后回到城里的家中。当你回来的时候，你会发现蜂蜜不见了，但是你不会知道这是谁干的，是什么时候干的，为什么会这样。你从这个诱捕系统中学不到任何东西，除非你通过其他方式收集到关于它的信息。实际上，即便是最基本的诱捕系统都有入侵侦测系统。

该入侵侦测系统可能像防火墙一样简单。通常一个防火墙是用来防止非法用户接近电脑系统，但他们也会将所有的行为以日志方式记录下来。回头看这些日志，能得到关于入侵诱捕系统的最基本的信息。

比较复杂一点的诱捕系统会加入硬件，譬如交换机，路由器或者交换器，是为了更深入的控制网络行为。他们也能通过数据包拦截器来收集网络流量的信息。

研究型诱捕系统可能会运行程序来模拟正常系统，让自己显示出好像被入侵了，然后诱使潜在的入侵者来窃取假的邮件地址，密码和信息。这种程序也可以用来装作操作系统，就像是一个Linux系统的电脑在运行Windows系统。

 

But the thing about honey – it's sticky, and there's always a chance that your honeypot is
going to turn into a bees nest. And when the bees come home, you don't want to be the one
with your hand stuck in the honey. An improperly configured honeypot can easily be turned
into a launching pad for additional attacks. If a hacker compromises your honeypot, then
promptly launches an assault on a large corporation or uses your honeypot to distribute a
flood of spam, there's a good chance that you will be identified as the one responsible.
Correctly configured honeypots control network traffic going into and out of the computer. A
simple production honeypot might allow incoming traffic through the firewall, but stop all
outgoing traffic. This is a simple, effective solution, but intruders will quickly realize that is is not
a real, working computer system. A slightly more complex honeypot might allow some
outgoing traffic, but not all.
Research honeypots – which want to keep the intruders interested as long as possible –
sometimes use manglers, which audit outgoing traffic and disarm potentially dangerous data
by modifying it so that it is ineffective.

 

但是那些蜂蜜，可能佷粘，也有可能你的蜂蜜罐里是一个蜂蜜窝。当蜜蜂回来了，你不想将手伸到蜂蜜罐里。一个配置不好的诱捕系统会很容易的变成一个发动攻击的发射台。如果一个黑客危害到你诱捕系统，并通过它及时的发动袭击，用你的诱捕系统发送垃圾邮件，很可能你会成为那个要承担责任的人。配置好的诱捕系统能控制网络信息进出电脑，一个简单的生产型诱捕系统能允许数据通过防火墙进来，但是却不允许任何数据流出系统。这是一个简单直接的解决方法，但是入侵者会很快的发现这不是一个真的能工作的电脑系统。一个稍微复杂点的诱捕系统就能允许数据出去，但是不会是所有的数据都能出去。

研究型诱捕系统---为了想让入侵者保持长久的兴趣---有的时候会使用压延机，它通过审查出去的数据，来更改潜在的危险数据，使其失去效用。

 

Exercises:
Honeypots can be useful tools for research and for spotting intruders, but using them to
capture and prosecute these intruders is another question. Different jurisdictions have different
definitions and standards, and judges and juries often have varying views, so there are many
questions that need to be considered. Do honeypots represent an attempt at entrapment? Is
recording a hacker's activities a form of wiretapping?
And on the specific question of honeypots – can it be illegal to compromise a system that was
designed to be compromised? These questions have yet to be thoroughly tested.

Discuss your opinions on the legalities of using honeypots for capturing hackers involved in
criminal activities. Do you think it would be a useful tool for law enforcement agencies? Is it
entrapment? Do you think it constitutes an 'attractive nuisance'? If a hacker comprises a
honeypot, who do you think is ultimately responsible?

练习：

诱捕系统是监测入侵者很有用的工具，但是使用它们来拦截和检举入侵者又是另一个问题。不同的司法管制区有不同的定义和标准，法官和陪审员通常有不同的意见，所以有很多要考虑的问题。诱捕系统是否代表一个圈套？监测黑客行为是否犯了窃听的罪行？

对于诱捕系统最显著的问题是---去攻击一个被设计来引诱攻击的系统是不是非法的？这些问题到现在为止都还没有完全解决。

就用诱捕系统俘获做违法事情的黑客表达你的观点。你认为它能作为执法机构有用的工具吗？它是一个圈套吗？你是否认为它是一个诱惑人的麻烦事？如果黑客攻击了一个诱捕系统，你认为谁应该负最终的责任。

 

Further Reading  深入阅读
Netstat   （网络状态）
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/enus/
netstat.mspx
General Firewall Information:  （防火墙信息）
http://www.howstuffworks.com/firewall.htm
http://www.interhack.net/pubs/fwfaq/
One of many free firewall programs:  （免费防火墙软件）
http://www.agnitum.com/index.html
Firewalling for Linux:  （Linux系统的防火墙软件）
http://www.iptables.org/
Packet Sniffing  （数据包盗窃器）
http://www.robertgraham.com/pubs/sniffing-faq.html
Snort and IDS:（智能识别系统）
http://www.linuxsecurity.com/feature_stories/feature_story-49.html
http://www.snort.org/docs/lisapaper.txt
Honeypots:（诱捕系统）
http://www.honeypots.net/honeypots/links/