分类: 网络与安全
2011-09-30 10:19:52
8: 作者提出的几种防御措施,我认为还是有必要总结一下:
A: Annihilating 消灭,歼灭
但是作者最后还专门提出了一种反击方法:
B:Monitoring 监控
作者写了很多利用honeypots的理想情况下的东东,之后指出:
A possible weakness point of the proposed botnet is its centralized monitoring sensor. If defenders have setup a good traffic logging system. It is possible that they could capture the traffic to a botnet sensor.
作者本章的最后一句还写道:This makes it important to conduct further research on this approach since we must be prepared in case a future smart botnet can detect and disable honeypot.
9: 讨论部分
作者首先强调:Honeypots起到了非常重要的作用;botmaster需要设计对抗措施。这方面已经有相关文献,通过软件或者硬件签名:
【27: honeypotting with vmware basics】
【28: advanced honey pot identification and exploitation】
【29:honed security advisory 2004-001:remote detection via simple probe packet】
或者利用honeypots具有的合法和道德限制。许多当前的botnets不去阻止honeypots,---simply because 攻击者没有感受到honeypots的威胁。
随着honeypots技术的增进,变得流行和广泛应用,我们相信botmaster一定会增加honeypots检测机制到botnets中的。两者之间的战争只会越来越密切!
当前的研究表明,对于当前的Internet botnet(主要指IRC botnet)的监控也不是太难,可问题是:如果防止有botnet发出的攻击?由于法律和道德原因,作为安全工作者不能主动攻击和俘获远程bot 肉鸡或者一个botnet C&C server,即使我们知道某个远程机器被安装了bot程序。举例:人所共知的"good worm"方法在真实互联网环境中就不能实践? 当前的那些依赖ISPs来限制bot肉鸡的方法缓慢而且消耗资源。所以在botnet防御方面还有足够的挑战。
10 讨论
作者指出,to defend against such an advanced botnet, we point out that honeypot may play an important role. We should, therefore, invest more research into determining how to deploy honeypots efficiently and avoid their exposure to botnets and botmasters.