The cloud honeypot feature detects attacks and traces attack sources both inside and outside your cloud environment. Deploy honeypots in virtual private clouds (VPCs) and on servers protected by Security Center to intercept attackers before they reach your real assets.
Any connection attempt to a honeypot is treated as suspicious and triggers an alert—honeypots serve no legitimate business function, so all traffic to them is attacker traffic.
Honeypots occupy ports on hosts. Allocate host ports carefully to avoid conflicts with your production workloads.
How it works
Traditional security defenses rely on known attack signatures, which makes them ineffective against advanced persistent threat (APT) attacks that exploit zero-day vulnerabilities. When a server is compromised, security teams can only respond after the fact.
Cloud honeypot takes a proactive approach: it deploys systems that look like real business assets but serve no production purpose. Attackers are drawn to these decoys, which buys time to observe attacker behavior, collect intelligence, and strengthen your actual defenses.
Cloud honeypot uses two types of probes to redirect traffic to honeypots:
VPC probes — Traffic destined for unreachable IP addresses in your VPCs is automatically redirected to honeypots. VPC probes consume no host or network resources.
Host probes — Install a probe on a host where your workloads run. The probe forwards only unusual port traffic to the honeypot cluster, with minimal impact on the host and no effect on your applications.
Use VPC probes and host probes together to protect a large number of IP addresses at low cost.
Key concepts
| Concept | Description |
|---|---|
| VPC probe | A cloud-native component that redirects traffic from unreachable VPC IP addresses to honeypots. Developed by the Security Center and network teams. |
| Host probe | A lightweight agent installed on a production host. Forwards unusual traffic to the honeypot cluster without affecting host stability or application performance. Can be installed on common hardware and operating systems. |
| Low-interaction honeypot | A simulated service that listens on all ports and logs connection attempts. Lower fidelity, but fast to deploy and scalable. Choose this type for broad coverage at low cost. |
| High-interaction honeypot | A full emulation of a vulnerable host or service. Supports web, database, system service, special defect, and custom honeypot types. Higher fidelity, providing richer attacker behavior data. Choose this type when you need detailed intelligence on attacker techniques. |
| Honeypot cluster | A group of built-in and custom honeypots deployed together. A cluster increases deception coverage and makes it harder for attackers to distinguish honeypots from real assets. |
| Custom honeypot | A container-based honeypot you build to simulate your specific business environment. Supports high-level business simulation. |
| Docker escape detection | Built into every honeypot cluster by default. Detects attempts by attackers to break out of the container. |
| Management node | Controls the traffic forwarding rules of host probes. Even if a management node is compromised, attackers cannot use it to control the underlying host. |
Supported environments
| Environment | Probe type | Notes |
|---|---|---|
| Alibaba Cloud | VPC probes | Redirects traffic from unreachable VPC IP addresses to honeypots. Low cost, high coverage. |
| Third-party clouds | Host probes | Redirects unusual traffic to the backend honeypot cluster. |
| Data centers | Host probes | Redirects unusual traffic to the backend honeypot cluster. |
Potential impacts
Performance
| Component | Impact |
|---|---|
| VPC probe | No host or network resource consumption |
| Host probe | Forwards only unusual port traffic; minimal system resource usage |
Stability
| Component | Impact |
|---|---|
| VPC probe | Simulates interaction with scan traffic. If you run asset detection software that initiates scans, false positives may be reported. |
| Host probe | Occupies ports on the host. Allocate host ports carefully before deployment. |
Security
Network isolation is enforced between honeypots and probes. Even if the honeypot cluster is compromised, attackers cannot reach your production network through the honeypot-to-probe communication path.
Each user gets a unique honeypot cluster with Docker escape detection enabled by default.
Limitations
Host probes
Host probes can only be installed on servers that appear in the Assets module of the Security Center console and are protected by Security Center.
VPC probes
VPC probes are supported in the following regions:
China
China (Qingdao)
China (Beijing)
China (Zhangjiakou)
China (Hohhot)
China (Ulanqab)
China (Hangzhou)
China (Shanghai)
China (Shenzhen)
China (Heyuan)
China (Guangzhou)
China (Chengdu)
China (Hong Kong)
Outside China
Japan (Tokyo)
Singapore
Indonesia (Jakarta)
US (Virginia)
US (Silicon Valley)
UK (London)
UAE (Dubai)
Germany (Frankfurt)