Research On Key Technologies Of Honeypot System Facing Cisco Routers

As an Internet infrastructure,routers mainly provide important tasks such as data forwarding and network addressing.Its security status has a significant impact on the network where it is located.As the world's largest Internet equipment manufacturer,Cisco provides the most extensive services for the global backbone network.Although Cisco has been committed to improving the security level of its routers,the large number of Cisco router models and IOS versions have brought difficulties to security research.Some IOS vulnerabilities and targeted attacks can only be found when security incidents break out,causing a lot of economic losses.This subject hopes to learn from the honeypot idea to actively discover attacks against Cisco routers,and perceive unknown threats in advance.Currently,honeypot research is mostly aimed at PC-side services,and routers are usually not taken seriously as part of the construction of honeynet scenarios.Some honeypot systems only virtualize the routing function and do not use high-interaction routers,which have no effect on router security research.This thesis designs a high-interaction virtual honeypot based on hardware emulation.At the same time,in order to make up for the lack of virtualization capabilities,the physical router is used as the supplementary honeypot.A method for constructing Cisco routers honeypot based on the combination of virtual and physical is proposed,and the conditions for capturing information and attacking the Cisco router honeypot are given.The main work of this thesis includes:1.The Cisco IOS attack chain model is constructed,and the characteristics of each stage of router attack are analyzed according to the attack model.It can intuitively reflect the attack targets at different stages,the technical methods used,and the effects and influences achieved.The attack model can guide the router security protection and honeypot configuration strategy.2.The method of constructing and deploying Cisco router honeypot based on the combination of virtual and physical is proposed.Currently,there are few research materials on router platform honeypots,and there is no honeypot specifically for routers in the field of high-interaction honeypots.The virtual router is generated by simulating the execution of the firmware,and at the same time,it forms the hardware foundation of the high-interaction router honeypot with the physical router.According to the characteristics of virtual and physical routers,the corresponding honeypot router generation and control technology are designed,which can obtain the original data of attack behavior.3.A method to determine the honeypot attack behavior of Cisco router is proposed.The content of the router honeypot information collection is clarified and the methods and means of related information collection are given.According to different sources of information,the attack judgment method is given,and the attack behavior analysis process based on alarm information is proposed.4.A method of ROP attack location analysis based on return address memory hash is proposed.On the basis of the virtual honeypot command monitoring of Cisco routers,in view of the traditional ROP protection technology in solving the defects of Cisco IOS protection,a method based on the memory hash verification of the return address is proposed,which can effectively locate the attack location and intercept the key shellcode code when the router is attacked by ROP.