在本篇論文中我們提出一新的honeypot架構 — A-R: Attack-Redirector來解決過去honeypot在基本條件下的限制問題。一般來說,honeypot使用於收集網路上的攻擊資訊,藉此得知攻擊者的來源資訊,更甚至進一步得知攻擊者使用之方法與軟體可能漏洞和臭蟲(bug),紀錄下這些資訊對於網路安全有著極大貢獻,近年來為使用於偵測殭屍網路(Botnet)等惡意網路組織之主要方法。本篇論文將會討論過去honeypot系統常見的幾個限制:一、如何吸引攻擊者,二、必須浪費一些電腦資源作為honeypot,造成成本上的增加,三、被感染的電腦有可能嘗試去攻擊其他電腦,反而造成了網管的麻煩和適法性的問題。 現今引誘攻擊者的方法,通常是以honeypot技術,利用一些並非使用中的電腦當作誘餌,讓這些攻擊者以為入侵了一台重要主機,而藉此得知攻擊者的手法與攻擊者之來源。然而,honeypot本身有所限制,且這幾年駭客界也研究出一些方法反制這樣子的honeypot技術,能夠偵測出被攻擊的目標是否為honeypot。因此本論文則把偵測的機制放入了攻擊者最有興趣的伺服器上,並且把偵測出的惡意封包轉向至負責分析的主機,且在伺服器上建立黑名單,不再處理這個IP來源的封包,都直接轉向到負責承受攻擊和分析的主機,如此,伺服器可以建立起可能為攻擊者的IP位址名單,也可以藉由分析主機的反應得知攻擊者想達成的目的,藉此達到自我保護的機制。 In recent years, with the popularity of Internet, people exchange information to each other faster and conveniently. However, some malicious people try to steal the important information via Internet for personal benefit. Mostly, attackers use the Buffer Overflow Attacks to compromise other computers. This type of attacks result from that the program writes data into the buffer without boundary checking. This research will focus on the actions after discovering the Buffer Overflow Attacks. It just needs to modify Linux Operating System Kernel, and does not change the original hardware or software. Nowadays, the defenders use honeypot technology to attract attackers’ attention. By taking some unused computers as traps, attackers may consider they are compromising an important server. Therefore, we can get information about the attacks, like IP address or attack’s method. But there are still some restrictions about honeypot. Attackers recently also discover some ways to distinguish if the target server is a honeypot system. For this reason, this research will put the detection mechanism in the servers which contain the sensitive information attracting attackers the most. We will redirect the network packets which are considered attacking packets to another server, called victim server, which is used to examine the packet content. Eventually, we can construct a list with suspected attackers’ IP address. Also, with the reaction of victim server, we are able to understand the attackers’ technique and purpose, and achieve self-protect mechanism.
