Research And Design On Two Mechanisms About Honeypot

Honeypot is a kind of network security technology and its main purpose is to lure the attacker to attack by disguising itself as a real system or a service. It can take the initiative to attract attacks and overcomes the disadvantage of firewall as static defense; Also, since it only servers as a bait, there are no other purposes, all data transferred to or from the honeypot is suspicious, it fixes the disadvantages of high false alarm rate and omission rate of Intrusion Detection System. Honeypot has a lot of merits which other security technology can not compare. The study about honeypot has become a hot spot currently.This paper proposes Decoy Port System (DPS) to solve the problem that honeypot for collecting and researching attack acts is limited to its own only, but does not apply to network. The system is installed on non-honeypot host, it can receive Snort Intrusion Detection System alarm notification, block following attacks as response to notification, and then redirect attacks to a honeypot; it can also disguise itself as service port to attract attacks, redirect attacks to a honeypot, and gives hackers the illusion that they have successfully compromised the non-honeypot host; DPS improves the redirection to avoid fingerprint identification and other issues. This paper designs a snort output plug-in, the plug-in can format the instrusion data to form the notification sent to DPS. Experimental results show that DPS can effectively redirects attacks detected by the snort system or attracted by the decoy ports to the honeypot smoothly.This paper proposes Dynamic Connection Redirection idea to solve some problems about security and efficiency traditional Connection Restriction Method will bring about to prevent hackers from outside after the fall of honeypot invasion. Firstly, the idea describes the drawbacks of Connection Restriction Method; then it discusses some problems of redirecting between honeypots and it solves the problems; then it elaborates the principle of dnat redirection implementation on linux system with a example. Finally, this paper utilizes linux firewall based on the netfilter/iptables to set the iptables rules. linux firewall redirects outward attack flows to other honeypots according to IP and port in the packet header to implement the idea. The experimental results show that the honeypot can effectively redirect attack flows to each other and prevent hackers from identifying the existence of the honeypot, it to some extent solves many problems Connection Restriction Method causes.