The cloud honeypot feature provides capabilities such as attack discovery and attack source tracing within and outside the cloud. You can create honeypots in virtual private clouds (VPCs) and servers that are protected by Security Center. This protects the servers from attacks that are launched within and outside the cloud and reinforces the security of the servers.
Background information
Traditional defense methods are used to defend against attacks. However, the traditional methods have limits when attacks have the following characteristics: diversification, concealment, and complexity. For example, traditional security services based on the libraries of attack rules and attack characteristics can hardly detect APT attacks that are launched by exploiting zero-day vulnerabilities. If servers are attacked, security O&M engineers can only handle the issues caused by the attacks, but the engineers cannot prevent attackers from intruding into internal networks and launched attacks. Companies need to proactively defend against attacks, and take measures to defend their services against attackers and protect data.
A honeypot is a system used to attract attackers. The honeypot simulates one or more hosts and services that are vulnerable to attacks and disguises them as business applications. This lures attackers to attack the disguised hosts and services. Honeypots do not provide services for users. Therefore, all connection attempts on honeypots are considered suspicious. Attackers are lured to attack honeypots, which delays the attacks on real targets. This allows you to obtain information about the attackers. You can use the information to improve your defense against attacks. This way, you can protect your business systems.
How cloud honeypot works
Compared with traditional defense methods, honeypots can proactively defend against attacks. However, traditional honeypots are less deceptive and cannot be used for all scenarios. Traditional honeypots provide a limited number of honeypots types and have high costs. To resolve the issues of traditional defense methods and traditional honeypots, the cloud honeypot feature of Security Center is launched.
Cloud honeypot provides the following features:
Cloud-native VPC probes
The cloud honeypot feature redirects traffic destined for IP addresses that are unreachable in VPCs to VPC probes. Then, the VPC probes forward traffic to honeypots based on the traffic forwarding rules that are configured for the VPC probes.
Common host probes
The cloud honeypot feature allows you to install a host probe on your host on which your workloads are deployed. The host probe is used to forward traffic. After you install the host probe on your host, resource consumption on the host does not significantly increase, and your applications are not affected. Host probes are secure and stable, which can be installed on common hardware and operating systems.
Various types of honeypots
The cloud honeypot feature supports high- and low-interaction honeypots. Low-interaction honeypots support all ports. High-interaction honeypots provide various types of built-in honeypots that are vulnerable to attacks. The built-in honeypots include web honeypots, database honeypots, system service honeypots, special defect honeypots, and custom honeypots.
Custom honeypots
The cloud honeypot feature allows you to create a custom honeypot based on containers to implement high-level business simulation.
You can use both VPC probes and host probes. This allows you to protect a large number of IP addresses at low costs of IP addresses and computing resources. You can deploy various types of built-in honeypots and custom honeypots as a honeypot cluster. The honeypot cluster is highly deceptive.
Impacts
Security services can cause stability issues and security risks. To prevent these issues, the cloud honeypot feature is designed to deliver honeypot-related capabilities, ensure high stability and high security, and consume a small number of host resources.
Impacts on performance
Impacts of VPC probes
VPC probes do not consume host resources or network resources.
Impacts of host probes
Host probes forward only unusual traffic on ports and consume a small number of system resources.
Impacts on stability
Impacts of VPC probes
VPC probes can simulate interaction with scan traffic. If you use asset detection software that initiates scans, false positives may be reported.
Impacts of host probes
Host probes occupy ports on hosts. You must properly allocate host ports for host probes.
Impacts on security
Security assurance of host probes
Host probes are controlled by their management nodes. The management nodes can control only the traffic forwarding rules of host probes. Even if management nodes are compromised, attackers cannot use the management nodes to control hosts by using the host probes controller by the management nodes.
Security assurance of honeypot escape prevention
Each user can create a unique honeypot cluster in which Docker escape detection is provided by default.
Security assurance of networks
Network isolation is implemented. The network of users cannot be attacked over the communication path between honeypots and probes even if a honeypot cluster is compromised.
Network environments
The cloud honeypot feature is supported in network environments such as Alibaba Cloud, third-party clouds, and data centers.
In Alibaba Cloud, VPC probes that are developed by the Security Center team and the network team can redirect traffic destined for IP addresses that are unreachable in VPCs to honeypots. This achieves low cost and delivers high-coverage honeypot capabilities.
In an environment other than Alibaba Cloud, the cloud honeypot feature allows you to use host probes that consume a small number of host resources and are secure for traffic redirection. Host probes can redirect unusual traffic to the backend honeypot cluster.
limits
Host probes
Host probes can be installed only on the servers that are displayed in the Assets module in the Security Center console and are protected by Security Center.
VPC probes
VPC probes can be installed on the VPCs in the following regions:
China (Qingdao)
China (Beijing)
China (Zhangjiakou)
China (Hohhot)
China (Ulanqab)
China (Hangzhou)
China (Shanghai)
China (Shenzhen)
China (Heyuan)
China (Guangzhou)
China (Chengdu)
China (Hong Kong)
Japan (Tokyo)
Singapore
Indonesia (Jakarta)
US (Virginia)
US (Silicon Valley)
UK (London)
UAE (Dubai)
Germany (Frankfurt)