Honeypot Background
|
¹ø¿ª : ÀÌ»óÀÎ, delpai at hotmail dot com
ÃÖ±Ù¿¡ Çã´ÏÆÌ¿¡ ´ëÇØ °øºÎÇÏ¸é¼ ¹ø¿ªÇغ¸¾Ò½À´Ï´Ù.
¹ø¿ªÀÌ ¸Å²ô·´Áö ¸øÇÑ ºÎºÐµµ ¸¹ÀÌÀÖÀ¸´Ï °íÄ¥ºÎºÐÀÖÀ¸¸é °íÃÄÁÖ¼¼¿ä ^^;
-- delpai 2004-07-09 16:43:58
Honeypot Background
Çã´ÏÆÌ ¹è°æ
A honeypot is as a closely monitored computing resource that we intend to be probed, attacked, or compromised. The value of a honeypot is determined by the information that we can obtain from it. Monitoring the data that enters and leaves a honeypot lets us gather information that is not available to NIDS. For example, we can log the key strokes of an interactive session even if encryption is used to protect the network traffic. To detect malicious behavior, NIDS require signatures of known attacks and often fail to detect compromises that were unknown at the time it was deployed. On the other hand, honeypots can detect vulnerabilities that are not yet understood.
Because a honeypot has no production value, any attempt to contact it is suspicious. Consequently, forensic analysis of data collected from honeypots is less likely to lead to false positives than data collected by NIDS.
Honeypots can run any operating system and any number of services. The configured services determine the vectors available to an adversary for compromising or probing the system.
A high-interaction honeypot simulates all aspects of an operating system.
A low-interaction honeypot simulates only some parts, for example the network stack. This is what Honeyd does.
Çã´ÏÆÌÀº Á¶»çÇÏ°í, °ø°ÝÇϰųª ħÇØÇϱâ À§ÇÑ ¸ð´ÏÅ͸µ ÄÄÇ»Æà ¸®¼Ò½ºÀÌ´Ù. Çã´ÏÆÌÀÇ °¡Ä¡´Â ±×°ÍÀ¸·ÎºÎÅÍ È¹µæÇÒ¼ö ÀÖ´Â Á¤º¸·Î Á¤ÇÑ´Ù. ¸ð´ÏÅ͸µÇÑ µ¥ÀÌÅ͸¦ ÀÔ·ÂÇÏ°í À¯È¿ÇÏÁö ¾ÊÀº IDS·Î Á¤º¸µéÀ» ¸ðÀ¸°Ô ÇÑ´Ù. ¿¹¸¦ µé¾î, ¿ì¸®´Â ³×Æ®¿öÅ© Æ®·¡ÇÈÀ» º¸È£Çϱâ À§ÇØ ¿µÇâÀ» ¹ÌÄ¡´Â ¼¼¼ÇÀÇ Å°½ºÆ®·ÎÅ©¸¦ ·Î±×·Î ³²±æ¼ö ÀÖ´Ù. ³ª»Û ÇൿÀ» ã¾Æ³»±â À§ÇØ, NIDS´Â ¾Ë·ÁÁø °ø°ÝÀÇ ½ÅÈ£¸¦ ¿ä±¸ÇÑ´Ù. ÀÌ·± ¹èÄ¡´Â ¾Ë·ÁÁöÁö ¾ÊÀº ħÇش ã¾Æ³»Áö ¸øÇÑ´Ù. ÀÌ¿¡ ¹ÝÇؼ Çã´ÏÆÌÀº ¾Ë·ÁÁöÁö ¾ÊÀº Ãë¾àÁ¡À» ã¾Æ³¾ ¼ö ÀÖ´Ù.
¿Ö³ÄÇϸé Çã´ÏÆÌÀº »óÇ°Àû °¡Ä¡°¡ ¾Æ´Ñ Á¢±ÙÇÒ·Á´Â ¸ðµç ½Ãµµ¸¦ ÀǽÉÇϱ⠶§¹®ÀÌ´Ù. ´ç¿¬È÷ Çã´ÏÆÌÀ¸·ÎºÎÅÍ µ¥ÀÌÅ͸¦ ¼öÁýÇÏ´Â Æ÷·»½Ä ºÐ¼®Àº NIDS¿¡ ÀÇÇØ µ¥ÀÌÅ͸¦ ¼öÁýÇÏ´Â °Íº¸´Ù ½ÇÆа¡´É¼ºÀ» ÁÙÀÏ ¼ö ÀÖ´Ù.
(False Positive: Á¤»óÀûÀÎ traffic À» IDS°¡ attackÀÌ¶ó °£ÁÖÇÏ¿© alertÀ» ¹ß»ý½ÃÅ°´Â °ÍÀ» ³ªÅ¸³½´Ù)
Çã´ÏÆÌÀº ¾Æ¹« ¿î¿µÃ¼Á¦¿Í ¿©·¯°³ÀÇ ¼ºñ½º¿¡¼ ¿î¿µµÉ¼ö ÀÖ´Ù. ¼³Á¤µÈ ¼ºñ½º´Â ħÇØÇϰųª ½Ã½ºÅÛÀ» Á¶»çÇÏ´Â °ø°ÝÀÚÀÇ ¹æÇâÀ» Á¤ÇÑ´Ù.
³ôÀº »óÈ£ÀÛ¿ëÀ» ÇÏ´Â Çã´ÏÆÌÀº ¿î¿µÃ¼Á¦ÀÇ ¸ðµç ³»¿ëÀ» Èä³»³¾ ¼ö ÀÖ´Ù.
³·Àº »óÈ£ÀÛ¿ëÀ» ÇÏ´Â Çã´ÏÆÌÀº ³×Æ®¿öÅ© ½ºÅà °°Àº°ÍÀ» À§ÇØ ¸î °³ÀÇ ºÎºÐ¸¸ Èä³»³½´Ù. ÀÌ°ÍÀÌ HoneydÀÌ ÇÏ´ÂÀÏÀÌ´Ù.
High-Interaction Honeypots
A high-interaction honeypot can be compromised completely, allowing an adversary to gain full access to the system and use it to launch further network attacks.
High-Interaction Honeypots
³ôÀº »óÈ£ÀÛ¿ëÀ» ÇÏ´Â Çã´ÏÆÌÀº ¿Ïº®È÷ ½Ã½ºÅÛ¿¡ ¸ðµç Á¢±ÙÀ» ¾òÀº °ø°ÝÀÚ¸¦ Çã¶ôÇÏ°í, °Ô´Ù°¡ ³×Æ®¿öÅ© °ø°ÝÀ» °¡Çϴ ħÇØÇÒ¼ö ÀÖ´Ù.
Low-Interaction Honeypots
In contrast, low-interaction honeypots simulate only services that cannot be exploited to get complete access to the honeypot. Low-interaction honeypots are more limited, but they are useful to gather information at a higher level, e.g., learn about network probes or worm activity. They can also be used to analyze spammers or for active countermeasures against worms.
We also differentiate between physical and virtual honeypots.
Low-Interaction Honeypots
´ëÁ¶ÀûÀ¸·Î, ³·Àº »óÈ£ÀÛ¿ëÀ» ÇÏ´Â Çã´ÏÆÌÀº Çã´ÏÆÌ¿¡ ¸ðµç Á¢±ÙÀ» ¾òÀ»¼ö ÀÖÀ¸³ª ÀÌ¿ëÇÒ¼ö´Â ¾ø´Ù. ³·Àº »óÈ£ÀÛ¿ëÀ» ÇÏ´Â Çã´ÏÆÌÀº Á¦ÇÑÀûÀ̳ª ³ôÀº ·¹º§ÀÇ Á¤º¸¸¦ ¸ðÀ»¶§ À¯¿ëÇÏ´Ù. ¿¹¸¦µé¸é, ³×Æ®¿öÅ© Á¶»ç³ª ¿ú È°µ¿¿¡ ´ëÇØ ¹è¿î´Ù. ±×°ÍµéÀº ¶ÇÇÑ ½ºÆиӳª ¿úÀÇ È°µ¿À» ºÐ¼®ÇÒ ¼ö ÀÖ´Ù. ¶ÇÇÑ ¹°¸®ÀûÀÎ Çã´ÏÆÌ°ú °¡»ó Çã´ÏÆÌÀ» ±¸ºÐÇÒ ¼ö ÀÖ´Ù.
A physical honeypot is a real machine on the network with its own IP address.
¹°¸®ÀûÀÎ Çã´ÏÆÌÀº ÀÚ½ÅÀÇ IP ÁÖ¼Ò·Î ³×Æ®¿öÅ©¿¡ ¿¬°áµÇ¾îÀÖ´Â ½ÇÁ¦ ½Ã½ºÅÛÀÌ´Ù.
A virtual honeypot is simulated by another machine that responds to network traffic sent to the virtual honeypot.
°¡»ó Çã´ÏÆÌÀº ³×Æ®¿öÅ© Æ®·¡ÇÈÀ» °¡»ó Çã´ÏÆÌÀ¸·Î º¸³»¾î ÀÀ´äÇÏ´Â °ÍÀ» ´Ù¸¥ ½Ã½ºÅÛ¿¡ Èä³»³¾ ¼ö ÀÖ´Ù.
When gathering information about network attacks or probes, the number of deployed honeypots influences the amount and accuracy of the collected data. A good example is measuring the activity of HTTP based worms. We can identify these worms only after they complete a TCP handshake and send their payload.
³×Æ®¿öÅ© °ø°ÝÀ̳ª Á¶»ç¿¡ ´ëÇÑ Á¤º¸¸¦ ¸ðÀ» ¶§ Çã´ÏÆÌÀÇ ¹èÄ¡¿Í ¸ðÀº µ¥ÀÌÅÍÀÇ Á¤È®µµ¿¡ ¿µÇâÀ» ¹ÌÄ£´Ù. ÁÁÀº ¿¹·Î HTTP ±â¹ÝÀÇ ¿úÀÇ È°µ¿ÀÇ ÃøÀûÀÌ ÀÖ´Ù. TCP handshake¸¦ ¸¶Ä¡°í payload º¸³½ ÈÄÀÇ ¿úÀ» È®ÀÎÇÒ ¼ö ÀÖ´Ù.
However, most of their connection requests will go unanswered because they contact randomly chosen IP addresses. A honeypot can capture the worm payload by configuring it to function as a web server. The more honeypots we deploy the more likely one of them is contacted by a worm.
±×·¯³ª ·£´ýÀ¸·Î ¼±ÅÃÇÑ IP ÁÖ¼Ò·Î Á¢±ÙÇϱ⠶§¹®¿¡ ÀÀ´äÇÏÁö ¾ÊÀº ¿¬°á¿ä±¸°¡ ´ëºÎºÐÀÌ´Ù. Çã´ÏÆÌÀº À¥¼¹öó·³ ±â´ÉÀ» ¼³Á¤ÇÏ¿© worm payload¸¦ ĸÃÄ ÇÒ ¼ö ÀÖ´Ù. ¸¹Àº Çã´ÏÆÌÀº ¿ú¿¡ ÀÇÇØ Á¢±ÙÇÏ°Ô ¹èÄ¡ÇÑ´Ù.
Physical versus Virtual Honeypots
¹°¸®ÀûÀÎ Çã´ÏÆÌ ´ë °¡»ó Çã´ÏÆÌ
Physical honeypots are often high-interaction, so allowing the system to be compromised completely, they are expensive to install and maintain. For large address spaces, it is impractical or impossible to deploy a physical honeypot for each IP address. In that case, we need to deploy virtual honeypots.
You can find more information on Honeypots in Lance Spitzner's paper.
¹°¸®ÀûÀÎ Çã´ÏÆÌÀº ¿Ïº®ÇÑ Ä§Çظ¦ Çã¶ôÇϱ⿡ Á¾Á¾ ³ôÀº »óÈ£ÀÛ¿ëÀ» ÇÑ´Ù. Å« ÁÖ¼Ò °ø°£À» À§ÇØ ½ÇÇàÇÒ ¼ö ¾ø°Å³ª °¢°¢ IP ÁÖ¼Ò ¸¦ À§ÇØ ¹°¸®ÀûÀÎ Çã´ÏÆÌÀ» ¹èÄ¡ÇÏ´Â°Ô ºÒ°¡´ÉÇÏ´Ù. ÀÌ¿Í°°Àº °æ¿ì ¿ì¸®´Â °¡»ó Çã´ÏÆÌÀ» ¹èÄ¡ÇÏ´Â°Ô ÇÊ¿äÇÏ´Ù. ´ç½ÅÀº Lance Spitzner's paper¿¡¼ Çã´ÏÆÌ¿¡ ´ëÇÑ ´õ ¸¹Àº Á¤º¸¸¦ ãÀ» ¼ö ÀÖ´Ù.
|
You will overcome the attacks of jealous associates.    
|
