現代物聯網僵屍網路行為的深度分析：利用多個蜜罐進行研究

Abstract

隨著物聯網（IoT）設備數量的急速增加，它們已成為網路攻擊的目標，例如botnet中的「Mirai」和「Gafgyt」。這些攻擊通常利用物聯網設備的漏洞，並透過SSH或Telnet傳播，這是許多路由器和IP攝像頭等設備常用的通訊協定。為了防範這類攻擊，蜜罐（honeypot）被證明是一個有用的工具。它通過模擬能被攻擊的平台、機器或服務，作為誘餌來吸引攻擊者。蜜罐不僅能夠誤導攻擊者，使其轉移對真實目標的注意力，而且還使防禦者能夠更深入地分析攻擊者使用的策略和技術。在這個實驗中，我們同時部署了四個不同配置的SSH/Telnet蜜罐，使我們能夠更深入地了解攻擊者的行為。結果，我們在實驗中識別出至少54種不同類型的攻擊，並依據其出現頻率從中挑選了14種攻擊，進行更深入的分析。我們指出了一些有用的特徵，並整理了一份簡單的指南，以幫助人們抵禦當前的botnet威脅。

With the rapid increase in the number of IoT devices, they have become targets for cyber attacks, such as the botnets "Mirai" and "Gafgyt." These attacks often exploit vulnerabilities in IoT devices, particularly through SSH or telnet connections commonly used by devices like routers and IP cameras. To defend against such attacks, a honeypot proves to be a valuable tool. It operates by simulating a vulnerable platform, machine, or service, serving as a decoy to lure attackers. Not only does the honeypot mislead attackers by diverting their attention from the real target, but it also enables defenders to analyze the strategies and techniques employed by the attackers in greater depth. In our case, we deployed four SSH/telnet honeypots with different configurations simultaneously, allowing us to gain deeper insights into the behavior of attackers. As a result, we identified at least 54 distinct types of attacks that occurred during our experiment and picked 14 of them based on appearance frequency to perform deeper analysis. We pointed out some useful features and arranged a simple guideline to help people defend against the current botnet threats.