[go: up one dir, main page]

CN115514514A - Honeypot flow traction device and method, computer equipment and storage medium - Google Patents

Honeypot flow traction device and method, computer equipment and storage medium Download PDF

Info

Publication number
CN115514514A
CN115514514A CN202210925002.6A CN202210925002A CN115514514A CN 115514514 A CN115514514 A CN 115514514A CN 202210925002 A CN202210925002 A CN 202210925002A CN 115514514 A CN115514514 A CN 115514514A
Authority
CN
China
Prior art keywords
honeypot
flow
traffic
traction
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210925002.6A
Other languages
Chinese (zh)
Other versions
CN115514514B (en
Inventor
刘正涛
宰祥顺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Begtone Software Technology Co ltd
Original Assignee
Shandong Begtone Software Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Begtone Software Technology Co ltd filed Critical Shandong Begtone Software Technology Co ltd
Priority to CN202210925002.6A priority Critical patent/CN115514514B/en
Publication of CN115514514A publication Critical patent/CN115514514A/en
Application granted granted Critical
Publication of CN115514514B publication Critical patent/CN115514514B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a honeypot flow traction device, a honeypot flow traction method, computer equipment and a storage medium, and relates to the technical field of Internet, wherein the device comprises a honeypot management platform, honeypot nodes, a honeypot flow traction service end and a honeypot flow traction terminal; the honeypot flow traction server and the honeypot management platform are deployed on the same machine node, and the honeypot flow traction terminal is deployed in an isolation network different from the honeypot management platform; one honeypot flow traction server is deployed, and a plurality of honeypot flow traction terminals are deployed in each isolation network. In a complex isolation network, an encryption tunnel is established between a honeypot flow traction server and a honeypot flow traction terminal through a single port opened by a firewall. And drawing the required flows of different isolation network segments into the honeypot system according to a routing table and a related acquisition strategy which are issued by the honeypot flow drawing server to the honeypot flow drawing terminal.

Description

一种蜜罐流量牵引装置、方法、计算机设备及存储介质A honeypot traffic pulling device, method, computer equipment and storage medium

技术领域technical field

本发明涉及计算机技术领域,特别是涉及一种蜜罐流量牵引装置、方法、计算机设备及存储介质。The present invention relates to the field of computer technology, in particular to a honeypot flow traction device, method, computer equipment and storage medium.

背景技术Background technique

由于蜜罐的部署方式以及业务特性,需要对网络环境中的流量进行选择性牵引,如不同的DMZ区之间,以及高敏业务之间,均会导致不同隔离网中的部分流量不能被牵引。Due to the honeypot deployment method and business characteristics, traffic in the network environment needs to be selectively diverted. For example, between different DMZ areas and between high-sensitivity services, some traffic in different isolated networks will not be diverted.

常见的引流技术方案主要有以下三类:Common drainage technology solutions mainly fall into the following three categories:

第一类是借助第三方安全产品进行流量牵引,如通过防火墙的ACL对蜜罐的每个访问行为进行一一设置并放行,当攻击者发起攻击时,根据防火墙上已有的ACL规则,将流量通过此方案引到蜜罐系统中。The first type is traffic traction with the help of third-party security products. For example, through the ACL of the firewall, each access behavior of the honeypot is set and released one by one. When the attacker launches an attack, according to the existing ACL rules on the firewall, the Traffic is led to the honeypot system through this scheme.

第二类是通过反向代理的方式进行流量牵引,即在防护设备和蜜罐之间搭建一台反向代理服务器,当攻击者触发攻击到达该防护设备时,会通过反向代理的方式将特定的流量牵引到蜜罐系统中。The second type is traffic traction through a reverse proxy, that is, a reverse proxy server is set up between the protection device and the honeypot. When the attacker triggers an attack and reaches the protection device, the Specific traffic is drawn into the honeypot system.

第三类是通过UDP隧道的方式进行流量牵引,通过在目标虚拟机中部署采集插件的方式,当虚拟机中启动客户端时,蜜罐会将要采集的端口信息下发给客户端,并与之建立UDP隧道。攻击者在发起攻击时,客户端会根据收到的策略信息将所需要的网卡流量通过UDP的方式牵引到蜜罐系统中。The third type is traffic traction through UDP tunnels. By deploying a collection plug-in in the target virtual machine, when the client is started in the virtual machine, the honeypot will send the port information to be collected to the client and communicate with the client. To establish a UDP tunnel. When the attacker launches an attack, the client will draw the required network card traffic to the honeypot system through UDP according to the received policy information.

但是,第一类借助如防火墙的第三方安全产品进行流量牵引,这种方案需要频繁改动防火墙或其他安全产品的配置,并且蜜罐产品通常没有控制第三方安全产品的权限,所以这种引流方式在实际使用过程中易用性较低。However, the first category relies on third-party security products such as firewalls for traffic diversion. This solution requires frequent changes to the configuration of firewalls or other security products, and honeypot products usually do not have the authority to control third-party security products, so this traffic diversion method Ease of use is low in actual use.

第二类是通过反向代理的方式进行流量牵引。这种方式通常无法响应arp、tcp请求,只能对特定端口的流量数据进行牵引,所以也无法针对蜜罐访问进行完全覆盖配置。The second type is traffic traction through reverse proxy. This method usually cannot respond to arp and tcp requests, and can only pull the traffic data of a specific port, so it cannot be completely covered and configured for honeypot access.

第三类是通过建立UDP隧道的方式进行流量牵引,该技术方案需要在UDP的报文中对目标的标识信息进行封装,然后通过标识的配置将流量进行牵引,对方接收到信息后需对数据进行解封装。这种方案需要对原始流量进行二次封装,加大了流量的体积,影响牵引效率,且可靠性较差。The third category is to pull traffic by establishing a UDP tunnel. This technical solution needs to encapsulate the identification information of the target in the UDP message, and then pull the traffic through the configuration of the identification. After receiving the information, the other party needs to process the data to unpack. This solution requires secondary packaging of the original flow, which increases the volume of the flow, affects traction efficiency, and has poor reliability.

综上所述,需要设计一种新的流量牵引方法,实现高效、安全、可靠的引流,解决上述问题。To sum up, it is necessary to design a new traffic traction method to achieve efficient, safe and reliable drainage and solve the above problems.

发明内容Contents of the invention

本发明的目的在于提供一种蜜罐流量牵引装置、方法、计算机设备及存储介质,以解决上述存在的技术问题。The purpose of the present invention is to provide a honeypot traffic pulling device, method, computer equipment and storage medium to solve the above-mentioned existing technical problems.

为实现上述目的,本发明提供了以下技术方案:To achieve the above object, the present invention provides the following technical solutions:

第一方面,本发明实施例提供了一种蜜罐流量牵引装置,包括:蜜罐管理平台、蜜罐节点、蜜罐流量牵引服务端、蜜罐流量牵引终端;In the first aspect, an embodiment of the present invention provides a honeypot flow pulling device, including: a honeypot management platform, a honeypot node, a honeypot flow pulling server, and a honeypot flow pulling terminal;

所述蜜罐流量牵引服务端与蜜罐管理平台部署在同一个机器节点上,所述蜜罐流量牵引终端部署在与蜜罐管理平台不同的隔离网中;The honeypot flow pulling service end and the honeypot management platform are deployed on the same machine node, and the honeypot flow pulling terminal is deployed in an isolated network different from the honeypot management platform;

所述蜜罐流量牵引服务端部署有一个,每个隔离网中部署有多个所述蜜罐流量牵引终端。One honeypot flow pulling server is deployed, and multiple honeypot flow pulling terminals are deployed in each isolated network.

作为本发明的进一步方案,所述蜜罐流量牵引服务端在隔离网A,蜜罐流量牵引终端在隔离网B,隔离网A与隔离网B之间部署有防火墙,防火墙用于控制隔离网A与隔离网B之间的访问授权。As a further solution of the present invention, the honeypot traffic pulling service end is in the isolated network A, the honeypot traffic pulling terminal is in the isolated network B, and a firewall is deployed between the isolated network A and the isolated network B, and the firewall is used to control the isolated network A Access authorization with isolated network B.

作为本发明的进一步方案,所述蜜罐流量牵引终端与蜜罐流量牵引服务端的牵引流量为双向互通,所述蜜罐流量牵引服务端用于接收蜜罐流量牵引终端发送的流量,蜜罐流量牵引终端用于接收蜜罐流量牵引服务端发送的流量。As a further solution of the present invention, the traction traffic between the honeypot flow traction terminal and the honeypot traffic traction service end is two-way intercommunication, and the honeypot traffic traction server is used to receive the traffic sent by the honeypot traffic traction terminal, and the honeypot traffic flow The traction terminal is used to receive the traffic sent by the honeypot traffic traction server.

作为本发明的进一步方案,所述蜜罐流量牵引终端与蜜罐流量牵引服务端之间设置有一个加密的隧道,所有协议类型的流量均通过所述隧道进行发送与接收。As a further solution of the present invention, an encrypted tunnel is set between the honeypot traffic pulling terminal and the honeypot traffic pulling server, and traffic of all protocol types is sent and received through the tunnel.

作为本发明的进一步方案,当有攻击者的访问流量到达所述蜜罐流量牵引终端的网卡时,且攻击者访问的目的地址命中了预先配置的规则,所述蜜罐流量牵引装置用于将目的地址进行DNAT转换,不对源地址重写,保留报文中原始来源IP。As a further solution of the present invention, when an attacker's access traffic arrives at the network card of the honeypot traffic pulling terminal, and the destination address of the attacker's access hits a pre-configured rule, the honeypot traffic pulling device is used to The destination address is converted by DNAT, the source address is not rewritten, and the original source IP in the message is retained.

作为本发明的进一步方案,所述蜜罐流量牵引装置进行DNAT转换时,包括以下步骤:As a further solution of the present invention, when the honeypot flow traction device performs DNAT conversion, it includes the following steps:

将目的地址改写为蜜罐流量牵引终端机器上虚拟网卡的虚拟子网IP地址,此时,根据蜜罐流量牵引终端所在机器的系统路由表设置,通往蜜罐流量牵引服务端的流量经过本机虚拟网卡,由蜜罐流量牵引终端读取后通过建立的隧道,发送至蜜罐流量牵引服务端;Rewrite the destination address to the virtual subnet IP address of the virtual network card on the honeypot traffic pulling terminal machine. At this time, according to the system routing table settings of the machine where the honeypot traffic pulling terminal is located, the traffic leading to the honeypot traffic pulling server passes through this machine The virtual network card is read by the honeypot traffic pulling terminal and sent to the honeypot traffic pulling server through the established tunnel;

蜜罐流量牵引服务端通过虚拟网卡接收到流量,此时根据路由表策略,将流量送达对应的蜜罐节点,蜜罐节点监听的地址即虚拟子网的IP地址;The honeypot traffic traction server receives the traffic through the virtual network card. At this time, according to the routing table strategy, the traffic is sent to the corresponding honeypot node. The address that the honeypot node listens to is the IP address of the virtual subnet;

蜜罐节点接收到攻击流量获取真实攻击者IP并做出响应;The honeypot node receives the attack traffic to obtain the real attacker IP and responds;

蜜罐节点对指定流量的响应,通过蜜罐流量牵引服务端与蜜罐流量牵引终端之间的隧道,回流至蜜罐流量牵引终端节点,并由蜜罐流量牵引终端节点,将响应流量返回给请求发起方。The response of the honeypot node to the specified traffic flows back to the honeypot traffic pulling terminal node through the tunnel between the honeypot traffic pulling server and the honeypot traffic pulling terminal, and the honeypot traffic pulling terminal node returns the response traffic to The originator of the request.

作为本发明的进一步方案,攻击者攻击的目的地址,为流量在蜜罐流量牵引终端所在机器中网卡的地址。As a further solution of the present invention, the destination address of the attacker's attack is the address of the network card in the machine where the traffic is pulled by the honeypot traffic.

作为本发明的进一步方案,蜜罐节点监听的地址即虚拟子网的IP地址时,流量出发ebpf from-tun ingress hook,将<流量五元组,虚拟设备ID>映射写入/sys/fs/bpf/tc/globals后放行流量。As a further solution of the present invention, when the address monitored by the honeypot node is the IP address of the virtual subnet, the traffic starts from the ebpf from-tun ingress hook, and the <traffic quintuple, virtual device ID> mapping is written into /sys/fs/ Traffic is released after bpf/tc/globals.

作为本发明的进一步方案,蜜罐节点接收到攻击流量获取真实攻击者IP并做出响应后,由于攻击者IP为任意IP出发,默认路由规则写入默认网卡(eth0),通过查询/sys/fs/bpf/tc/globals表获得返程流量来源设备后用bpf_perf_event_output重定向流量到虚拟设备并写回流量牵引终端进行SNAT转换,进而完成流量完整路由链路。As a further solution of the present invention, after the honeypot node receives the attack traffic and obtains the real attacker IP and makes a response, since the attacker IP starts from any IP, the default routing rule is written into the default network card (eth0), and by querying /sys/ After the fs/bpf/tc/globals table obtains the source device of the return traffic, use bpf_perf_event_output to redirect the traffic to the virtual device and write it back to the traffic pulling terminal for SNAT conversion, thereby completing the complete routing link of the traffic.

第二方面,本发明实施例提供了一种蜜罐流量牵引方法,包括以下步骤:In a second aspect, the embodiment of the present invention provides a honeypot traffic pulling method, comprising the following steps:

蜜罐流量牵引服务端从蜜罐管理平台获取蜜罐节点服务的IP地址,并记录;The honeypot flow traction server obtains the IP address of the honeypot node service from the honeypot management platform and records it;

启动蜜罐流量牵引终端,并创建一张虚拟网卡,通过与防火墙中配置的隔离网A与隔离网B互通的端口,与蜜罐流量牵引服务端建立连接;Start the honeypot traffic pulling terminal, create a virtual network card, and establish a connection with the honeypot traffic pulling server through the port that communicates with the isolated network A and isolated network B configured in the firewall;

蜜罐流量牵引服务端接收到蜜罐流量牵引终端的首次请求后,在本机创建一个虚拟网卡,用于与该蜜罐流量牵引终端进行隧道通信;After the honeypot traffic pulling server receives the first request from the honeypot traffic pulling terminal, it creates a virtual network card locally for tunnel communication with the honeypot traffic pulling terminal;

蜜罐流量牵引服务端下发给蜜罐流量牵引终端虚拟网卡的IP,以及路由表策略;The IP of the virtual network card and the routing table strategy issued by the honeypot traffic pulling server to the honeypot traffic pulling terminal;

蜜罐流量牵引终端设置虚拟网卡的IP地址为接收到蜜罐流量牵引服务端下发的IP地址,并配置对应的路由表策略;The honeypot traffic pulling terminal sets the IP address of the virtual network card to the IP address sent by the honeypot traffic pulling server, and configures the corresponding routing table strategy;

蜜罐流量牵引服务端与蜜罐流量牵引终端建立了一条加密隧道,并且成功组成虚拟子网;The honeypot traffic pulling server and the honeypot traffic pulling terminal have established an encrypted tunnel and successfully formed a virtual subnet;

在隔离网A和隔离网B中,通过所述加密隧道进行通信;In the isolated network A and the isolated network B, communicate through the encrypted tunnel;

访问蜜罐流量牵引终端所在的机器网卡的流量,将按照制定的路由表策略,经过上述DNAT转换方法进行目的地址转换,将指定流量牵引至蜜罐流量牵引终端所创建的虚拟网卡;The traffic that accesses the network card of the machine where the honeypot traffic pulling terminal is located will be converted to the destination address through the above-mentioned DNAT conversion method according to the established routing table strategy, and the specified traffic will be pulled to the virtual network card created by the honeypot traffic pulling terminal;

蜜罐流量牵引终端在读取到虚拟网卡接收的流量后,通过隧道,将流量牵引至蜜罐流量牵引服务端所在机器的对等虚拟网卡;After the honeypot traffic pulling terminal reads the traffic received by the virtual network card, it pulls the traffic to the peer-to-peer virtual network card of the machine where the honeypot traffic pulling server is located through the tunnel;

蜜罐流量牵引服务端通过虚拟网卡接收到流量后,将按照配置项,将流量牵引至指定的目标蜜罐节点;After the honeypot traffic pulling server receives the traffic through the virtual network card, it will pull the traffic to the designated target honeypot node according to the configuration items;

蜜罐节点接收到流量后,进行响应,将生成的响应流量,发送至蜜罐流量服务端,并通过隧道,将响应流量发送至蜜罐流量终端;蜜罐流量牵引终端接收到流量后,将响应流量写回虚拟网卡,并经过SNAT转换方法进行源地址转换后,发送给流量发起者;After the honeypot node receives the traffic, it responds, sends the generated response traffic to the honeypot traffic server, and sends the response traffic to the honeypot traffic terminal through the tunnel; after the honeypot traffic traction terminal receives the traffic, it sends The response traffic is written back to the virtual network card and sent to the traffic initiator after the source address is converted by the SNAT conversion method;

在服务器ingress时记录五元组和对应虚拟网卡设备;Record the quintuple and the corresponding virtual network card device during server ingress;

在服务器egress时通过查询上述中的映射表写入虚拟网卡设备。When the server is egress, write to the virtual network card device by querying the mapping table in the above.

作为本发明的进一步方案,在隔离网A安装蜜罐管理平台,并在蜜罐管理平台所在机器上安装蜜罐流量牵引服务端;蜜罐管理平台部署蜜罐节点服务;在隔离网B安装蜜罐流量牵引终端。As a further solution of the present invention, a honeypot management platform is installed on the isolation network A, and a honeypot traffic traction server is installed on the machine where the honeypot management platform is located; the honeypot management platform deploys honeypot node services; Tank flow pull terminal.

第三方面,本发明实施例提供了一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,处理器执行程序时实现上述蜜罐流量牵引方法的步骤。In a third aspect, an embodiment of the present invention provides a computer device, including a memory, a processor, and a computer program stored on the memory and operable on the processor. When the processor executes the program, the steps of the above honeypot traffic pulling method are implemented. .

第四方面,本发明实施例还提供了一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现上述蜜罐流量牵引方法的步骤。In a fourth aspect, the embodiment of the present invention also provides a computer-readable storage medium, on which a computer program is stored, and when the program is executed by a processor, the steps of the above honeypot traffic pulling method are implemented.

本发明实施例提供的技术方案可以包括以下有益效果:The technical solutions provided by the embodiments of the present invention may include the following beneficial effects:

本发明提供的蜜罐流量牵引装置、方法、计算机设备及存储介质,在复杂隔离网络中,隔离网之间通过防火墙开放的单一端口,使蜜罐流量牵引服务端与蜜罐流量牵引终端建立加密隧道。根据蜜罐流量牵引服务端下发给蜜罐流量牵引终端的路由表及相关采集策略,将不同隔离网段的所需流量牵引到蜜罐系统中。The honeypot flow pulling device, method, computer equipment and storage medium provided by the present invention, in a complex isolated network, a single port opened by a firewall between the isolated networks enables the honeypot flow pulling server and the honeypot flow pulling terminal to establish encryption tunnel. According to the routing table and related collection strategies issued by the honeypot traffic pulling server to the honeypot traffic pulling terminal, the required traffic of different isolated network segments is pulled to the honeypot system.

本申请的这些方面或其他方面在以下实施例的描述中会更加简明易懂。应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本申请。These or other aspects of the present application will be more concise and understandable in the description of the following embodiments. It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.

附图说明Description of drawings

为了更清楚地说明本申请实施例中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图做简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例。在附图中:In order to more clearly illustrate the technical solutions in the embodiments of the present application, the following will briefly introduce the drawings that need to be used in the embodiments or the description of the prior art. Obviously, the accompanying drawings in the following description are only for the application. some examples. In the attached picture:

图1为本发明示例性实施例中一种蜜罐流量牵引装置的结构示意图;Fig. 1 is a schematic structural diagram of a honeypot flow pulling device in an exemplary embodiment of the present invention;

图2为本发明一个实施例中一种计算机设备的硬件架构图。FIG. 2 is a hardware architecture diagram of a computer device in an embodiment of the present invention.

本申请目的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The realization of the purpose, functions and advantages of the present application will be further described in conjunction with the embodiments and with reference to the accompanying drawings.

具体实施方式detailed description

下面,结合附图以及具体实施方式,对本申请做进一步描述,需要说明的是,在不相冲突的前提下,以下描述的各实施例之间或各技术特征之间可以任意组合形成新的实施例。Below, the present application will be further described in conjunction with the accompanying drawings and specific implementation methods. It should be noted that, on the premise of not conflicting, the various embodiments described below or the technical features can be combined arbitrarily to form a new embodiment. .

由于第一类借助第三方安全产品进行流量牵引、第二类通过反向代理的方式进行流量牵引以及第三类通过UDP隧道的方式进行流量牵引时,第一类借助如防火墙的第三方安全产品进行流量牵引,这种方案需要频繁改动防火墙或其他安全产品的配置,并且蜜罐产品通常没有控制第三方安全产品的权限,所以这种引流方式在实际使用过程中易用性较低。第二类是通过反向代理的方式进行流量牵引。这种方式通常无法响应arp、tcp请求,只能对特定端口的流量数据进行牵引,所以也无法针对蜜罐访问进行完全覆盖配置。第三类是通过建立UDP隧道的方式进行流量牵引,该技术方案需要在UDP的报文中对目标的标识信息进行封装,然后通过标识的配置将流量进行牵引,对方接收到信息后需对数据进行解封装。这种方案需要对原始流量进行二次封装,加大了流量的体积,影响牵引效率,且可靠性较差。Since the first type uses third-party security products to pull traffic, the second type uses reverse proxy to pull traffic, and the third type uses UDP tunnels to pull traffic, the first type uses third-party security products such as firewalls. Traffic diversion, this solution requires frequent changes to the configuration of firewalls or other security products, and honeypot products usually do not have the authority to control third-party security products, so this diversion method is less easy to use in actual use. The second type is traffic traction through reverse proxy. This method usually cannot respond to arp and tcp requests, and can only pull the traffic data of a specific port, so it cannot be completely covered and configured for honeypot access. The third category is to pull traffic by establishing a UDP tunnel. This technical solution needs to encapsulate the identification information of the target in the UDP message, and then pull the traffic through the configuration of the identification. After receiving the information, the other party needs to process the data to unpack. This solution requires secondary packaging of the original flow, which increases the volume of the flow, affects traction efficiency, and has poor reliability.

因此,本发明蜜罐流量牵引装置、方法、计算机设备及存储介质,实现高效、安全、可靠的引流。Therefore, the honeypot flow traction device, method, computer equipment and storage medium of the present invention realize efficient, safe and reliable drainage.

请参照图1,本申请的一个实施例中提供了一种蜜罐流量牵引装置,包括蜜罐管理平台、蜜罐节点、蜜罐流量牵引服务端、蜜罐流量牵引终端。Referring to FIG. 1 , an embodiment of the present application provides a honeypot traffic pulling device, including a honeypot management platform, a honeypot node, a honeypot traffic pulling server, and a honeypot traffic pulling terminal.

在蜜罐流量牵引装置部署时,所述蜜罐流量牵引服务端与蜜罐管理平台部署在同一个机器节点上,所述蜜罐流量牵引终端部署在与蜜罐管理平台不同的隔离网中。When the honeypot traffic pulling device is deployed, the honeypot traffic pulling server and the honeypot management platform are deployed on the same machine node, and the honeypot traffic pulling terminal is deployed in an isolated network different from the honeypot management platform.

所述蜜罐流量牵引服务端部署有一个,每个隔离网中部署有多个所述蜜罐流量牵引终端。即:蜜罐流量牵引服务端部署一个,蜜罐流量牵引终端可以在每个隔离网中部署多个。蜜罐流量牵引服务端与蜜罐管理平台部署在同一个机器节点上,蜜罐流量牵引终端部署在与蜜罐管理平台不同的隔离网中。One honeypot flow pulling server is deployed, and multiple honeypot flow pulling terminals are deployed in each isolated network. That is: deploy one honeypot traffic pulling server, and deploy multiple honeypot traffic pulling terminals in each isolated network. The honeypot traffic pulling server and the honeypot management platform are deployed on the same machine node, and the honeypot traffic pulling terminal is deployed in an isolated network different from the honeypot management platform.

在本发明的实施例中,蜜罐流量牵引服务端在隔离网A,蜜罐流量牵引终端在隔离网B。隔离网A与隔离网B之间部署了防火墙控制隔离网之间的访问授权。In the embodiment of the present invention, the honeypot traffic pulling server is in the isolated network A, and the honeypot traffic pulling terminal is in the isolated network B. A firewall is deployed between isolated network A and isolated network B to control access authorization between isolated networks.

在本发明的实施例中,所述蜜罐流量牵引终端与蜜罐流量牵引服务端的牵引流量为双向互通,所述蜜罐流量牵引服务端用于接收蜜罐流量牵引终端发送的流量,蜜罐流量牵引终端用于接收蜜罐流量牵引服务端发送的流量。In an embodiment of the present invention, the traffic of the honeypot traffic pulling terminal and the honeypot traffic pulling server is two-way intercommunication, the honeypot traffic pulling server is used to receive the traffic sent by the honeypot traffic pulling terminal, and the honeypot The traffic pulling terminal is used to receive the traffic sent by the honeypot traffic pulling server.

在本发明的实施例中,所述蜜罐流量牵引终端与蜜罐流量牵引服务端之间设置有一个加密的隧道,所有协议类型的流量均通过所述隧道进行发送与接收。In the embodiment of the present invention, an encrypted tunnel is set between the honeypot traffic pulling terminal and the honeypot traffic pulling server, and traffic of all protocol types is sent and received through the tunnel.

针对流量流向说明如下:The description of traffic flow is as follows:

当有攻击者的访问流量到达蜜罐牵引终端的网卡时,且攻击者访问的目的地址命中了预先配置的规则,则将目的地址进行DNAT转换,并且此时不对源地址重写(MASQURADE),保留报文中原始来源IP。When the attacker's access traffic reaches the network card of the honeypot traction terminal, and the destination address of the attacker's access hits the pre-configured rules, the destination address will be DNAT converted, and the source address will not be rewritten (MASQURADE). The original source IP in the message is preserved.

下面详述攻击者攻击流量的DNAT转换流程:The DNAT conversion process of the attacker's attack traffic is described in detail below:

首先,攻击者攻击的目的地址,为流量在蜜罐流量牵引终端所在机器中网卡的地址。为了实现将流量跨隔离网的流量牵引,需要将目的地址改写,即将目的地址改写为蜜罐流量牵引终端机器上虚拟网卡的虚拟子网IP地址。此时,根据蜜罐流量牵引终端所在机器的系统路由表设置,通往蜜罐流量服务端的流量会经过本机虚拟网卡,后被蜜罐流量牵引终端读取后通过之前建立的隧道,发送至蜜罐流量牵引服务端。First of all, the destination address of the attacker's attack is the address of the network card in the machine where the traffic is pulled by the honeypot traffic. In order to realize the traffic pulling of the traffic across the isolated network, the destination address needs to be rewritten, that is, the destination address should be rewritten to the virtual subnet IP address of the virtual network card on the honeypot traffic pulling terminal machine. At this time, according to the system routing table settings of the machine where the honeypot traffic pulling terminal is located, the traffic leading to the honeypot traffic server will pass through the local virtual network card, and then be read by the honeypot traffic pulling terminal and sent to Honeypot traffic pulls the server.

蜜罐流量牵引服务端通过虚拟网卡接收到流量,此时根据路由表策略,将流量送达对应的蜜罐节点,而蜜罐节点监听的地址即虚拟子网的IP地址(虚拟网卡设备)。The honeypot traffic traction server receives traffic through the virtual network card. At this time, according to the routing table strategy, the traffic is delivered to the corresponding honeypot node, and the address that the honeypot node listens to is the IP address of the virtual subnet (virtual network card device).

此时流量出发ebpf from-tun ingress hook,将<流量五元组,虚拟设备ID>映射写入/sys/fs/bpf/tc/globals后放行流量。At this time, the traffic starts from the ebpf from-tun ingress hook, writes the mapping of <traffic quintuple, virtual device ID> into /sys/fs/bpf/tc/globals and releases the traffic.

蜜罐节点接收到攻击流量获取真实攻击者IP并做出响应,由于攻击者IP为任意IP出发默认路由规则写入默认网卡(eth0),通过查询/sys/fs/bpf/tc/globals表获得返程流量来源设备后用bpf_perf_event_output重定向流量到虚拟设备并写回流量牵引终端进行SNAT转换,进而完成流量完整路由链路。The honeypot node receives the attack traffic and obtains the real attacker IP and responds. Since the attacker IP is any IP, the default routing rule is written into the default network card (eth0), and obtained by querying the /sys/fs/bpf/tc/globals table After returning to the source device of the traffic, use bpf_perf_event_output to redirect the traffic to the virtual device and write it back to the traffic pulling terminal for SNAT conversion, thereby completing the complete routing link of the traffic.

即蜜罐牵引终端将访问指定蜜罐节点目标的流量,通过蜜罐流量牵引服务端与蜜罐流量牵引终端之间的隧道,引流至蜜罐牵引服务端,由蜜罐牵引服务端根据预先配置的流量牵引配置,将流量发送至最终的目标蜜罐节点。That is, the honeypot traction terminal will access the traffic of the designated honeypot node target, through the tunnel between the honeypot traffic traction server and the honeypot traffic traction terminal, and divert the traffic to the honeypot traction server, and the honeypot traction server will follow the pre-configured The traffic pulling configuration sends the traffic to the final target honeypot node.

同时,蜜罐节点对指定流量的响应,也是通过蜜罐流量牵引服务端与蜜罐流量牵引终端之间的隧道,回流至蜜罐流量牵引终端节点,并由蜜罐流量牵引终端节点,将响应流量返回给请求发起方。At the same time, the response of the honeypot node to the specified traffic also flows back to the honeypot traffic pulling terminal node through the tunnel between the honeypot traffic pulling server and the honeypot traffic pulling terminal, and the honeypot traffic pulling terminal node will respond Traffic is returned to the originator of the request.

在本申请的一些实施例中,如图1所示,示出了本实施例的一种蜜罐流量牵引方法,该蜜罐流量牵引方法的牵引流程包括以下步骤:In some embodiments of the present application, as shown in FIG. 1 , a honeypot traffic pulling method of this embodiment is shown, and the pulling process of the honeypot traffic pulling method includes the following steps:

步骤一、在隔离网A,安装蜜罐管理平台,并在蜜罐管理平台所在机器上,安装蜜罐流量牵引服务端;Step 1. Install the honeypot management platform on the isolation network A, and install the honeypot flow traction server on the machine where the honeypot management platform is located;

步骤二、蜜罐管理平台部署蜜罐节点服务;Step 2, the honeypot management platform deploys the honeypot node service;

步骤三、蜜罐流量牵引服务端从蜜罐管理平台获取蜜罐节点服务的IP地址,并记录;Step 3, the honeypot flow traction server obtains the IP address of the honeypot node service from the honeypot management platform, and records it;

步骤四、在隔离网B,安装蜜罐流量牵引终端;Step 4. Install a honeypot flow traction terminal on the isolated network B;

步骤五、接下来,进入隧道建立流程;Step 5. Next, enter the tunnel establishment process;

步骤六、启动蜜罐流量牵引终端,并创建一张虚拟网卡,通过与防火墙中配置的隔离网A与隔离网B互通的端口,与蜜罐流量牵引服务端建立连接;Step 6. Start the honeypot flow pulling terminal, create a virtual network card, and establish a connection with the honeypot flow pulling server through the port that communicates with the isolation network A and isolation network B configured in the firewall;

步骤七、蜜罐流量牵引服务端接收到蜜罐流量牵引终端的首次请求后,在本机创建一个虚拟网卡,用于与该蜜罐流量牵引终端进行隧道通信;Step 7: After receiving the first request from the honeypot traffic pulling terminal, the honeypot traffic pulling server creates a virtual network card locally for tunnel communication with the honeypot traffic pulling terminal;

步骤八、蜜罐流量牵引服务端下发给蜜罐流量牵引终端虚拟网卡的IP,以及路由表策略;Step 8. The honeypot traffic pulling server sends the IP of the virtual network card of the honeypot traffic pulling terminal, as well as the routing table strategy;

步骤九、蜜罐流量牵引终端设置虚拟网卡的IP地址为接收到蜜罐流量牵引服务端下发的IP地址,并配置对应的路由表策略;Step 9. Set the IP address of the virtual network card on the honeypot traffic pulling terminal to the IP address sent by the honeypot traffic pulling server, and configure the corresponding routing table strategy;

步骤十、此时,蜜罐流量牵引服务端与蜜罐流量牵引终端建立了一条加密隧道,并且成功组成虚拟子网;Step 10. At this point, an encrypted tunnel is established between the honeypot traffic pulling server and the honeypot traffic pulling terminal, and a virtual subnet is successfully formed;

步骤十一、在隔离网A和隔离网B中,可通过此条隧道进行通信;Step 11. In the isolation network A and isolation network B, communication can be carried out through this tunnel;

步骤十二、访问蜜罐流量牵引终端所在的机器网卡的流量,将按照制定的路由表策略,经过上述DNAT转换方法进行目的地址转换,将指定流量牵引至蜜罐流量牵引终端所创建的虚拟网卡;Step 12. Access the traffic of the network card of the machine where the honeypot traffic pulling terminal is located. According to the established routing table strategy, the destination address will be converted through the above DNAT conversion method, and the specified traffic will be pulled to the virtual network card created by the honeypot traffic pulling terminal. ;

步骤十三、蜜罐流量牵引终端在读取到虚拟网卡接收的流量后,通过隧道,将流量牵引至蜜罐流量牵引服务端所在机器的对等虚拟网卡;Step 13, after the honeypot traffic pulling terminal reads the traffic received by the virtual network card, it pulls the traffic to the peer-to-peer virtual network card of the machine where the honeypot traffic pulling server is located through the tunnel;

步骤十四、蜜罐流量牵引服务端通过虚拟网卡接收到流量后,将按照配置项,将流量牵引至指定的目标蜜罐节点;Step 14: After the honeypot traffic pulling server receives the traffic through the virtual network card, it will pull the traffic to the designated target honeypot node according to the configuration items;

步骤十五、蜜罐节点接收到流量后,进行响应,将生成的响应流量,发送至蜜罐流量服务端,并通过隧道,将响应流量发送至蜜罐流量终端;蜜罐流量牵引终端接收到流量后,将响应流量写回虚拟网卡,并经过上述SNAT转换方法进行源地址转换后,发送给流量发起者;Step 15: After the honeypot node receives the traffic, it responds, sends the generated response traffic to the honeypot traffic server, and sends the response traffic to the honeypot traffic terminal through the tunnel; the honeypot traffic traction terminal receives After the traffic flow, write the response traffic back to the virtual network card, and after the source address conversion by the above-mentioned SNAT conversion method, send it to the traffic initiator;

步骤十六、在服务器ingress时记录五元组和对应虚拟网卡设备;Step sixteen, record the quintuple and the corresponding virtual network card device when the server is ingressing;

步骤十七、在服务器egress时通过查询上述中的映射表写入虚拟网卡设备,保证流量从哪个端口来回到哪个端口去。Step 17. When the server is egressing, query the above mapping table and write it into the virtual network card device to ensure which port the traffic comes from and returns to which port.

应当理解,此处所描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。It should be understood that the specific embodiments described here are only used to explain the present application, and are not intended to limit the present application.

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present application with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, not all of them. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.

附图中所示的流程图仅是示例说明,不是必须包括所有的内容和操作/步骤,也不是必须按所描述的顺序执行。例如,有的操作/步骤还可以分解、组合或部分合并,因此实际执行的顺序有可能根据实际情况改变。The flow charts shown in the drawings are just illustrations, and do not necessarily include all contents and operations/steps, nor must they be performed in the order described. For example, some operations/steps can be decomposed, combined or partly combined, so the actual order of execution may be changed according to the actual situation.

下面结合附图,对本申请的一些实施方式作详细说明。在不冲突的情况下,下述的实施例及实施例中的特征可以相互组合。Some implementations of the present application will be described in detail below in conjunction with the accompanying drawings. In the case of no conflict, the following embodiments and features in the embodiments can be combined with each other.

参照图1所示,本发明的实施例中,蜜罐流量牵引装置有三个网络区域分别是:互联网区、办公网区、专网区,彼此之间通过防火墙进行隔离,网络互不联通。As shown in FIG. 1, in the embodiment of the present invention, the honeypot traffic pulling device has three network areas: the Internet area, the office network area, and the private network area. They are isolated from each other by firewalls, and the networks are not connected to each other.

本申请实施例中,蜜罐管理平台、蜜罐节点以及蜜罐流量牵引服务端部署在专网区。在互联网区和办公网区,分别部署了一台蜜罐流量牵引设备装置,并安装了蜜罐流量牵引终端。互联网区和办公网区的蜜罐流量牵引终端分别在各自的机器上创建了虚拟网卡A和虚拟网卡B。In the embodiment of this application, the honeypot management platform, honeypot nodes and honeypot traffic pulling server are deployed in the private network area. In the Internet area and the office network area, a honeypot traffic pulling device was deployed, and a honeypot traffic pulling terminal was installed. The honeypot traffic pulling terminals in the Internet area and the office network area have created virtual network card A and virtual network card B on their respective machines.

互联网区的蜜罐流量牵引终端A经过防火墙A、核心交换机与防火墙B的放行,只经过单个端口,通过TCP协议与专网区的蜜罐流量牵引服务端通过加密协商,建立了连接。The honeypot traffic pulling terminal A in the Internet area passes through the firewall A, the core switch and the firewall B, only through a single port, and establishes a connection with the honeypot traffic pulling server in the private network area through encrypted negotiation through the TCP protocol.

同时,部署在办公网区的蜜罐流量牵引终端B,通过防火墙B开放的指定单个端口,通过TCP协议与专网区的蜜罐流量牵引服务端通过加密协商,建立了连接。At the same time, the honeypot traffic pulling terminal B deployed in the office network area, through the designated single port opened by firewall B, establishes a connection with the honeypot traffic pulling server in the private network area through encrypted negotiation through the TCP protocol.

在蜜罐流量牵引服务端收到互联网区的蜜罐流量牵引终端A与办公网区的蜜罐流量牵引终端B的组网请求后,给互联网区的蜜罐流量牵引终端A和办公网区的蜜罐流量牵引终端B分别分配了指定的虚拟子网IP地址,并且下发了需要转发到蜜罐节点的路由策略。After the honeypot traffic pulling server receives the networking request from the honeypot traffic pulling terminal A in the Internet area and the honeypot traffic pulling terminal B in the office network area, it sends the honeypot traffic pulling terminal A in the Internet area and the office network area The honeypot traffic pulling terminal B is assigned a designated virtual subnet IP address, and issued a routing policy that needs to be forwarded to the honeypot node.

在本申请实施例中,互联网区访问特定蜜罐的流量,经过虚拟网卡A,蜜罐流量牵引终端A,通过子网隧道牵引到专网区的蜜罐节点。蜜罐节点对指定流量经过处理、解析、记录后,响应特定的蜜罐流量,反向经过隧道,返回给互联网区的蜜罐流量牵引终端A,并最终发送给流量发起者,完成一次蜜罐的请求与处理与响应。In the embodiment of this application, the traffic of accessing a specific honeypot in the Internet area passes through the virtual network card A, and the honeypot traffic is drawn to the terminal A, and is drawn to the honeypot node in the private network area through the subnet tunnel. After the honeypot node processes, parses, and records the specified traffic, it responds to the specific honeypot traffic, passes through the tunnel in reverse, returns to the honeypot traffic in the Internet area to pull terminal A, and finally sends it to the traffic initiator to complete a honeypot request and processing and response.

在本申请实施例中,办公网网区访问特定蜜罐的流量,经过虚拟网卡B,蜜罐流量牵引终端B,通过子网隧道牵引到了专网区的蜜罐节点,蜜罐节点对指定流量经过处理、解析、记录后,响应特定的蜜罐流量,反向经过隧道,返回给互联网区的蜜罐流量牵引终端A,并最终发送给流量发起者,完成一次蜜罐的请求与处理与响应。In the embodiment of this application, the traffic from the office network network area to access a specific honeypot passes through the virtual network card B, and the honeypot traffic is drawn to the terminal B, and is drawn to the honeypot node in the private network area through the subnet tunnel, and the honeypot node controls the specified traffic After processing, parsing, and recording, respond to specific honeypot traffic, pass through the tunnel in reverse, return to the honeypot traffic in the Internet area to pull terminal A, and finally send it to the traffic initiator, completing a honeypot request, processing and response .

本实施例还提供一种计算机设备,如图2所示,该计算机设备包括多个计算机设备1000,在实施例中蜜罐流量牵引装置的组成部分可分散于不同的计算机设备1000中,计算机设备1000可以是执行程序的智能手机、平板电脑、笔记本电脑、台式计算机、机架式服务器、刀片式服务器、塔式服务器或机柜式服务器(包括独立的服务器,或者多个服务器所组成的服务器集群)等。本实施例的计算机设备1000至少包括但不限于:可通过系统总线相互通信连接的存储器1001、处理器1002。但是应理解的是,并不要求实施所有示出的组件,可以替代的实施更多或者更少的组件。This embodiment also provides a computer device. As shown in FIG. 2, the computer device includes a plurality of computer devices 1000. In the embodiment, the components of the honeypot traffic pulling device can be dispersed in different computer devices 1000. The computer device 1000 can be a smart phone, a tablet computer, a laptop computer, a desktop computer, a rack server, a blade server, a tower server, or a rack server (including an independent server, or a server cluster composed of multiple servers) for executing programs. Wait. The computer device 1000 in this embodiment at least includes but is not limited to: a memory 1001 and a processor 1002 that can be communicatively connected to each other through a system bus. It should be understood, however, that implementation of all illustrated components is not a requirement, and that more or fewer components may instead be implemented.

本实施例中,存储器1001(即可读存储介质)包括闪存、硬盘、多媒体卡、卡型存储器(例如,SD或DX存储器等)、随机访问存储器(RAM)、静态随机访问存储器(SRAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、可编程只读存储器(PROM)、磁性存储器、磁盘、光盘等。在一些实施例中,存储器1001可以是计算机设备1000的内部存储单元,例如该计算机设备1000的硬盘或内存。在另一些实施例中,存储器1001也可以是计算机设备1000的外部存储设备,例如该计算机设备1000上配备的插接式硬盘,智能存储卡(SmartMediaCard,SMC),安全数字(SecureDigital,SD)卡,闪存卡(FlashCard)等。当然,存储器1001还可以既包括计算机设备1000的内部存储单元也包括其外部存储设备。本实施例中,存储器1001通常用于存储安装于计算机设备设备的操作系统和各类应用软件,例如实施例的蜜罐流量牵引装置等。此外,存储器1001还可以用于暂时地存储已经输出或者将要输出的各类数据。In this embodiment, the memory 1001 (that is, a readable storage medium) includes a flash memory, a hard disk, a multimedia card, a card-type memory (for example, SD or DX memory, etc.), random access memory (RAM), static random access memory (SRAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), Programmable Read Only Memory (PROM), Magnetic Memory, Magnetic Disk, Optical Disk, etc. In some embodiments, the storage 1001 may be an internal storage unit of the computer device 1000 , such as a hard disk or memory of the computer device 1000 . In other embodiments, the memory 1001 can also be an external storage device of the computer device 1000, such as a plug-in hard disk equipped on the computer device 1000, a smart memory card (SmartMediaCard, SMC), a secure digital (SecureDigital, SD) card , Flash card (FlashCard) and so on. Of course, the storage 1001 may also include both the internal storage unit of the computer device 1000 and its external storage device. In this embodiment, the memory 1001 is generally used to store the operating system and various application software installed in the computer equipment, such as the honeypot traffic pulling device in the embodiment. In addition, the memory 1001 can also be used to temporarily store various types of data that have been output or will be output.

处理器1002在一些实施例中可以是中央处理器(Central ProcessingUnit,CPU)、控制器、微控制器、微处理器、或其他数据处理芯片。该处理器1002通常用于控制计算机设备1000的总体操作。本实施例中,处理器1002用于运行存储器1001中存储的程序代码或者处理数据。本实施例计算机设备的多个计算机设备1000的处理器1002共同执行计算机程序时实现实施例的蜜罐流量牵引方法,包括以下步骤:The processor 1002 may be a central processing unit (Central Processing Unit, CPU), a controller, a microcontroller, a microprocessor, or other data processing chips in some embodiments. The processor 1002 is generally used to control the overall operation of the computer device 1000 . In this embodiment, the processor 1002 is configured to run program codes stored in the memory 1001 or process data. When the processors 1002 of multiple computer devices 1000 of the computer device in this embodiment jointly execute the computer program, the honeypot traffic pulling method of the embodiment is implemented, including the following steps:

步骤一、在隔离网A,安装蜜罐管理平台,并在蜜罐管理平台所在机器上,安装蜜罐流量牵引服务端;Step 1. Install the honeypot management platform on the isolation network A, and install the honeypot flow traction server on the machine where the honeypot management platform is located;

步骤二、蜜罐管理平台部署蜜罐节点服务;Step 2, the honeypot management platform deploys the honeypot node service;

步骤三、蜜罐流量牵引服务端从蜜罐管理平台获取蜜罐节点服务的IP地址,并记录;Step 3, the honeypot flow traction server obtains the IP address of the honeypot node service from the honeypot management platform, and records it;

步骤四、在隔离网B,安装蜜罐流量牵引终端;Step 4. Install a honeypot flow traction terminal on the isolated network B;

步骤五、接下来,进入隧道建立流程;Step 5. Next, enter the tunnel establishment process;

步骤六、启动蜜罐流量牵引终端,并创建一张虚拟网卡,通过与防火墙中配置的隔离网A与隔离网B互通的端口,与蜜罐流量牵引服务端建立连接;Step 6. Start the honeypot flow pulling terminal, create a virtual network card, and establish a connection with the honeypot flow pulling server through the port that communicates with the isolation network A and isolation network B configured in the firewall;

步骤七、蜜罐流量牵引服务端接收到蜜罐流量牵引终端的首次请求后,在本机创建一个虚拟网卡,用于与该蜜罐流量牵引终端进行隧道通信;Step 7: After receiving the first request from the honeypot traffic pulling terminal, the honeypot traffic pulling server creates a virtual network card locally for tunnel communication with the honeypot traffic pulling terminal;

步骤八、蜜罐流量牵引服务端下发给蜜罐流量牵引终端虚拟网卡的IP,以及路由表策略;Step 8. The honeypot traffic pulling server sends the IP of the virtual network card of the honeypot traffic pulling terminal, as well as the routing table strategy;

步骤九、蜜罐流量牵引终端设置虚拟网卡的IP地址为接收到蜜罐流量牵引服务端下发的IP地址,并配置对应的路由表策略;Step 9. Set the IP address of the virtual network card on the honeypot traffic pulling terminal to the IP address sent by the honeypot traffic pulling server, and configure the corresponding routing table strategy;

步骤十、此时,蜜罐流量牵引服务端与蜜罐流量牵引终端建立了一条加密隧道,并且成功组成虚拟子网;Step 10. At this point, an encrypted tunnel is established between the honeypot traffic pulling server and the honeypot traffic pulling terminal, and a virtual subnet is successfully formed;

步骤十一、在隔离网A和隔离网B中,可通过此条隧道进行通信;Step 11. In the isolation network A and isolation network B, communication can be carried out through this tunnel;

步骤十二、访问蜜罐流量牵引终端所在的机器网卡的流量,将按照制定的路由表策略,经过上述DNAT转换方法进行目的地址转换,将指定流量牵引至蜜罐流量牵引终端所创建的虚拟网卡;Step 12. Access the traffic of the network card of the machine where the honeypot traffic pulling terminal is located. According to the established routing table strategy, the destination address will be converted through the above DNAT conversion method, and the specified traffic will be pulled to the virtual network card created by the honeypot traffic pulling terminal. ;

步骤十三、蜜罐流量牵引终端在读取到虚拟网卡接收的流量后,通过隧道,将流量牵引至蜜罐流量牵引服务端所在机器的对等虚拟网卡;Step 13, after the honeypot traffic pulling terminal reads the traffic received by the virtual network card, it pulls the traffic to the peer-to-peer virtual network card of the machine where the honeypot traffic pulling server is located through the tunnel;

步骤十四、蜜罐流量牵引服务端通过虚拟网卡接收到流量后,将按照配置项,将流量牵引至指定的目标蜜罐节点;Step 14: After the honeypot traffic pulling server receives the traffic through the virtual network card, it will pull the traffic to the designated target honeypot node according to the configuration items;

步骤十五、蜜罐节点接收到流量后,进行响应,将生成的响应流量,发送至蜜罐流量服务端,并通过隧道,将响应流量发送至蜜罐流量终端;蜜罐流量牵引终端接收到流量后,将响应流量写回虚拟网卡,并经过上述SNAT转换方法进行源地址转换后,发送给流量发起者;Step 15: After the honeypot node receives the traffic, it responds, sends the generated response traffic to the honeypot traffic server, and sends the response traffic to the honeypot traffic terminal through the tunnel; the honeypot traffic traction terminal receives After the traffic flow, write the response traffic back to the virtual network card, and after the source address conversion by the above-mentioned SNAT conversion method, send it to the traffic initiator;

步骤十六、在服务器ingress时记录五元组和对应虚拟网卡设备;Step sixteen, record the quintuple and the corresponding virtual network card device when the server is ingressing;

步骤十七、在服务器egress时通过查询上述中的映射表写入虚拟网卡设备,保证流量从哪个端口来回到哪个端口去。Step 17. When the server is egressing, query the above mapping table and write it into the virtual network card device to ensure which port the traffic comes from and returns to which port.

通过以上的实施方式的描述,本领域普通技术人员可以清楚地了解到各实施方式可借助软件加通用硬件平台的方式来实现,当然也可以通过硬件。本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于一计算机可匹配存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus a general hardware platform, and of course also by hardware. Those of ordinary skill in the art can understand that all or part of the processes in the methods of the above-mentioned embodiments can be completed by instructing related hardware through a computer program. The program can be stored in a computer-compatible storage medium, and the program can be executed when , may include the flow of the embodiments of the above-mentioned methods.

本申请的实施例还提供一种计算机可读存储介质,如闪存、硬盘、多媒体卡、卡型存储器(例如,SD或DX存储器等)、随机访问存储器(RAM)、静态随机访问存储器(SRAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、可编程只读存储器(PROM)、磁性存储器、磁盘、光盘、服务器、App应用商城等等,其上存储有计算机程序,程序被处理器执行时实现相应功能。本实施例计算机可读存储介质存储实施例的蜜罐流量牵引装置10,被处理器执行时实现实施例的蜜罐流量牵引方法,包括以下步骤:Embodiments of the present application also provide a computer-readable storage medium, such as flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX memory, etc.), random access memory (RAM), static random access memory (SRAM) , read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), programmable read-only memory (PROM), magnetic storage, magnetic disk, optical disk, server, App application store, etc., on which are stored computer Program, the program implements corresponding functions when executed by the processor. The computer-readable storage medium of this embodiment stores the honeypot traffic pulling device 10 of the embodiment, and implements the honeypot traffic pulling method of the embodiment when executed by a processor, including the following steps:

步骤一、在隔离网A,安装蜜罐管理平台,并在蜜罐管理平台所在机器上,安装蜜罐流量牵引服务端;Step 1. Install the honeypot management platform on the isolation network A, and install the honeypot flow traction server on the machine where the honeypot management platform is located;

步骤二、蜜罐管理平台部署蜜罐节点服务;Step 2, the honeypot management platform deploys the honeypot node service;

步骤三、蜜罐流量牵引服务端从蜜罐管理平台获取蜜罐节点服务的IP地址,并记录;Step 3, the honeypot flow traction server obtains the IP address of the honeypot node service from the honeypot management platform, and records it;

步骤四、在隔离网B,安装蜜罐流量牵引终端;Step 4. Install a honeypot flow traction terminal on the isolated network B;

步骤五、接下来,进入隧道建立流程;Step 5. Next, enter the tunnel establishment process;

步骤六、启动蜜罐流量牵引终端,并创建一张虚拟网卡,通过与防火墙中配置的隔离网A与隔离网B互通的端口,与蜜罐流量牵引服务端建立连接;Step 6. Start the honeypot flow pulling terminal, create a virtual network card, and establish a connection with the honeypot flow pulling server through the port that communicates with the isolation network A and isolation network B configured in the firewall;

步骤七、蜜罐流量牵引服务端接收到蜜罐流量牵引终端的首次请求后,在本机创建一个虚拟网卡,用于与该蜜罐流量牵引终端进行隧道通信;Step 7: After receiving the first request from the honeypot traffic pulling terminal, the honeypot traffic pulling server creates a virtual network card locally for tunnel communication with the honeypot traffic pulling terminal;

步骤八、蜜罐流量牵引服务端下发给蜜罐流量牵引终端虚拟网卡的IP,以及路由表策略;Step 8. The honeypot traffic pulling server sends the IP of the virtual network card of the honeypot traffic pulling terminal, as well as the routing table strategy;

步骤九、蜜罐流量牵引终端设置虚拟网卡的IP地址为接收到蜜罐流量牵引服务端下发的IP地址,并配置对应的路由表策略;Step 9. Set the IP address of the virtual network card on the honeypot traffic pulling terminal to the IP address sent by the honeypot traffic pulling server, and configure the corresponding routing table strategy;

步骤十、此时,蜜罐流量牵引服务端与蜜罐流量牵引终端建立了一条加密隧道,并且成功组成虚拟子网;Step 10. At this point, an encrypted tunnel is established between the honeypot traffic pulling server and the honeypot traffic pulling terminal, and a virtual subnet is successfully formed;

步骤十一、在隔离网A和隔离网B中,可通过此条隧道进行通信;Step 11. In the isolation network A and isolation network B, communication can be carried out through this tunnel;

步骤十二、访问蜜罐流量牵引终端所在的机器网卡的流量,将按照制定的路由表策略,经过上述DNAT转换方法进行目的地址转换,将指定流量牵引至蜜罐流量牵引终端所创建的虚拟网卡;Step 12. Access the traffic of the network card of the machine where the honeypot traffic pulling terminal is located. According to the established routing table strategy, the destination address will be converted through the above DNAT conversion method, and the specified traffic will be pulled to the virtual network card created by the honeypot traffic pulling terminal. ;

步骤十三、蜜罐流量牵引终端在读取到虚拟网卡接收的流量后,通过隧道,将流量牵引至蜜罐流量牵引服务端所在机器的对等虚拟网卡;Step 13, after the honeypot traffic pulling terminal reads the traffic received by the virtual network card, it pulls the traffic to the peer-to-peer virtual network card of the machine where the honeypot traffic pulling server is located through the tunnel;

步骤十四、蜜罐流量牵引服务端通过虚拟网卡接收到流量后,将按照配置项,将流量牵引至指定的目标蜜罐节点;Step 14: After the honeypot traffic pulling server receives the traffic through the virtual network card, it will pull the traffic to the designated target honeypot node according to the configuration items;

步骤十五、蜜罐节点接收到流量后,进行响应,将生成的响应流量,发送至蜜罐流量服务端,并通过隧道,将响应流量发送至蜜罐流量终端;蜜罐流量牵引终端接收到流量后,将响应流量写回虚拟网卡,并经过上述SNAT转换方法进行源地址转换后,发送给流量发起者;Step 15: After the honeypot node receives the traffic, it responds, sends the generated response traffic to the honeypot traffic server, and sends the response traffic to the honeypot traffic terminal through the tunnel; the honeypot traffic traction terminal receives After the traffic flow, write the response traffic back to the virtual network card, and after the source address conversion by the above-mentioned SNAT conversion method, send it to the traffic initiator;

步骤十六、在服务器ingress时记录五元组和对应虚拟网卡设备;Step sixteen, record the quintuple and the corresponding virtual network card device when the server is ingressing;

步骤十七、在服务器egress时通过查询上述中的映射表写入虚拟网卡设备,保证流量从哪个端口来回到哪个端口去。Step 17. When the server is egressing, query the above mapping table and write it into the virtual network card device to ensure which port the traffic comes from and returns to which port.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。Through the description of the above embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware, but in many cases the former is better implementation.

本发明提供的蜜罐流量牵引装置、方法、计算机设备及存储介质,在复杂隔离网络中,隔离网之间通过防火墙开放的单一端口,使蜜罐流量牵引服务端与蜜罐流量牵引终端建立加密隧道。根据蜜罐流量牵引服务端下发给蜜罐流量牵引终端的路由表及相关采集策略,将不同隔离网段的所需流量牵引到蜜罐系统中。The honeypot flow pulling device, method, computer equipment and storage medium provided by the present invention, in a complex isolated network, a single port opened by a firewall between the isolated networks enables the honeypot flow pulling server and the honeypot flow pulling terminal to establish encryption tunnel. According to the routing table and related collection strategies issued by the honeypot traffic pulling server to the honeypot traffic pulling terminal, the required traffic of different isolated network segments is pulled to the honeypot system.

以上仅为本申请的优选实施例,并非因此限制本申请的专利范围,凡是利用本申请说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本申请的专利保护范围内。The above are only preferred embodiments of the present application, and are not intended to limit the patent scope of the present application. All equivalent structures or equivalent process transformations made by using the description of the application and the accompanying drawings are directly or indirectly used in other related technical fields. , are all included in the patent protection scope of the present application in the same way.

Claims (10)

1. The utility model provides a honeypot flow draw gear which characterized in that for high-efficient, safe, reliable drainage, include: the system comprises a honeypot management platform, honeypot nodes, a honeypot flow traction server and a honeypot flow traction terminal;
the honeypot flow traction server and the honeypot management platform are deployed on the same machine node, and the honeypot flow traction terminal is deployed in an isolation network different from the honeypot management platform;
one honeypot flow traction server is deployed, and a plurality of honeypot flow traction terminals are deployed in each isolation network.
2. The honeypot flow traction device according to claim 1, wherein the honeypot flow traction server is located on an isolation network A, the honeypot flow traction terminal is located on an isolation network B, and a firewall is deployed between the isolation network A and the isolation network B and used for controlling access authorization between the isolation network A and the isolation network B.
3. The honeypot flow traction device of claim 1, wherein the flow traction of the honeypot flow traction terminal and the honeypot flow traction server are in bidirectional communication, the honeypot flow traction server is configured to receive the flow sent by the honeypot flow traction terminal, and the honeypot flow traction terminal is configured to receive the flow sent by the honeypot flow traction server.
4. The honeypot flow traction device of claim 3, wherein an encrypted tunnel is arranged between the honeypot flow traction terminal and the honeypot flow traction server, and all protocol types of flows are transmitted and received through the tunnel.
5. The honeypot traffic traction device according to claim 4, wherein when the access traffic of an attacker reaches the network card of the honeypot traffic traction terminal, and the destination address accessed by the attacker hits a pre-configured rule, the honeypot traffic traction device is configured to perform DNAT conversion on the destination address without rewriting the source address and retain the original source IP in the message.
6. The honeypot flow traction device of claim 5, wherein the honeypot flow traction device comprises the following steps when performing DNAT conversion:
the destination address is rewritten into a virtual subnet IP address of a virtual network card on a honeypot flow traction terminal machine, at the moment, according to the system routing table setting of the machine where the honeypot flow traction terminal is located, the flow to the honeypot flow traction server passes through the local virtual network card, is read by the honeypot flow traction terminal and then is sent to the honeypot flow traction server through the established tunnel;
the honeypot flow traction server receives the flow through the virtual network card, and then sends the flow to the corresponding honeypot node according to the routing table strategy, wherein the address monitored by the honeypot node is the IP address of the virtual subnet;
the honeypot node receives the attack flow to obtain a real attacker IP and responds;
the response of the honeypot node to the specified flow flows back to the honeypot flow traction terminal node through the tunnel between the honeypot flow traction server and the honeypot flow traction terminal, and the honeypot flow traction terminal node returns the response flow to the request initiator.
7. The honeypot traffic pulling device according to claim 6, wherein the destination address of the attacker attack is an address of a network card of the traffic in a machine where the honeypot traffic pulling terminal is located.
8. The honeypot flow traction method is characterized by comprising the following steps:
the honeypot flow traction server side acquires the IP address of honeypot node service from the honeypot management platform and records the IP address;
starting a honeypot flow traction terminal, creating a virtual network card, and establishing connection with a honeypot flow traction server through a port which is communicated with an isolation network A and an isolation network B which are configured in a firewall;
after receiving a first request of a honeypot flow traction terminal, a honeypot flow traction server creates a virtual network card for tunnel communication with the honeypot flow traction terminal;
the honeypot flow traction server side issues an IP (Internet protocol) of a virtual network card to the honeypot flow traction terminal and a routing table strategy;
the honeypot flow traction terminal sets the IP address of the virtual network card as the IP address sent by the honeypot flow traction server side, and configures a corresponding routing table strategy;
the honeypot flow traction server side and the honeypot flow traction terminal establish an encrypted tunnel, and successfully form a virtual subnet;
in the isolation network A and the isolation network B, communication is carried out through the encryption tunnel;
accessing the flow of a machine network card where a honeypot flow traction terminal is located, performing destination address conversion through a DNAT conversion method according to a formulated routing table strategy, and drawing the specified flow to a virtual network card created by the honeypot flow traction terminal;
after reading the flow received by the virtual network card, the honeypot flow traction terminal draws the flow to the peer-to-peer virtual network card of the machine where the honeypot flow traction server side is located through the tunnel;
after receiving the flow through the virtual network card, the honeypot flow traction server side draws the flow to an appointed target honeypot node according to the configuration items;
after receiving the flow, the honeypot node responds, sends the generated response flow to a honeypot flow server, and sends the response flow to a honeypot flow terminal through a tunnel; after receiving the flow, the honeypot flow traction terminal writes the response flow back to the virtual network card, performs source address conversion by the SNAT conversion method, and sends the response flow to a flow initiator;
recording the quintuple and the corresponding virtual network card equipment when the server ingress;
and writing the virtual network card equipment by inquiring the mapping table in the step A when the server is egr.
9. A computer device comprising a plurality of computer devices, each computer device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processors of the plurality of computer devices when executing the computer program collectively implement the steps of the honeypot flow pulling method of claim 8.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the honeypot flow pulling method of claim 8.
CN202210925002.6A 2022-08-03 2022-08-03 A honeypot traffic traction device, method, computer equipment and storage medium Active CN115514514B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210925002.6A CN115514514B (en) 2022-08-03 2022-08-03 A honeypot traffic traction device, method, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210925002.6A CN115514514B (en) 2022-08-03 2022-08-03 A honeypot traffic traction device, method, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN115514514A true CN115514514A (en) 2022-12-23
CN115514514B CN115514514B (en) 2025-02-11

Family

ID=84502140

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210925002.6A Active CN115514514B (en) 2022-08-03 2022-08-03 A honeypot traffic traction device, method, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115514514B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116521318A (en) * 2023-04-25 2023-08-01 宁波如磐科技有限公司 Method and device for virtualizing multiple honeypot nodes by single host based on xdp technology

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8756696B1 (en) * 2010-10-30 2014-06-17 Sra International, Inc. System and method for providing a virtualized secure data containment service with a networked environment
CN109768993A (en) * 2019-03-05 2019-05-17 中国人民解放军32082部队 A kind of high covering Intranet honey pot system
CN111885046A (en) * 2020-07-21 2020-11-03 广州锦行网络科技有限公司 Linux-based transparent intranet access method and device
CN112134857A (en) * 2020-09-07 2020-12-25 广州锦行网络科技有限公司 Method for binding honeypots of honeypot system by multiple nodes
CN114257438A (en) * 2021-12-16 2022-03-29 南方电网数字电网研究院有限公司 Honeypot-based power monitoring system management method and device and computer equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8756696B1 (en) * 2010-10-30 2014-06-17 Sra International, Inc. System and method for providing a virtualized secure data containment service with a networked environment
CN109768993A (en) * 2019-03-05 2019-05-17 中国人民解放军32082部队 A kind of high covering Intranet honey pot system
CN111885046A (en) * 2020-07-21 2020-11-03 广州锦行网络科技有限公司 Linux-based transparent intranet access method and device
CN112134857A (en) * 2020-09-07 2020-12-25 广州锦行网络科技有限公司 Method for binding honeypots of honeypot system by multiple nodes
CN114257438A (en) * 2021-12-16 2022-03-29 南方电网数字电网研究院有限公司 Honeypot-based power monitoring system management method and device and computer equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116521318A (en) * 2023-04-25 2023-08-01 宁波如磐科技有限公司 Method and device for virtualizing multiple honeypot nodes by single host based on xdp technology

Also Published As

Publication number Publication date
CN115514514B (en) 2025-02-11

Similar Documents

Publication Publication Date Title
CN107222353B (en) Support protocol-independent software-defined network virtualization management platform
EP3905598B1 (en) Message processing method and apparatus, control plane device, and computer storage medium
CN101083549A (en) Method and system for realizing VPN configuration service
CN101009683A (en) Computer system and method for processing network flow
US20200295988A1 (en) Systems and methods for automatically configuring network isolation
CN112910705A (en) Method, device and storage medium for arranging network flow
CN111800399B (en) Information transmission method, device, equipment and storage medium
CN112532505A (en) SD-WAN-based local area network communication method and device, readable storage medium and control equipment
CN112187532A (en) Node control method and system
EP3836487B1 (en) Internet access behavior management system and device
CN107968849B (en) Method and device for network private line connection
CN115514514A (en) Honeypot flow traction device and method, computer equipment and storage medium
CN110768870A (en) Quality monitoring method and device for intelligent special line
CN118200240B (en) Service processing method, network device, storage medium, and program product
CN108924061A (en) A kind of application identification and management method, system and relevant apparatus
CN113596192B (en) Communication method, device, equipment and medium based on gatekeeper networking
CN110351394B (en) Network data processing method and device, computer device and readable storage medium
CN116346536A (en) Method, device, equipment and medium for virtual machine to access cloud platform management network
CN116545665A (en) Safe drainage method, system, equipment and medium
CN115913877A (en) A method for creating and debugging an SDN-based device service chain
CN114189485A (en) Network port management method and system of switch and computer readable storage medium
US10693673B2 (en) Method and apparatus for routing data to cellular network
CN115776441B (en) SDN-based virtual private line service issuing method and device, medium and electronic equipment
KR102763960B1 (en) Method for setting virtual network based on user-defined
CN117650965B (en) Method and device for realizing SD-WAN management network based on uCPE original ports

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant