The cloud honeypot feature provides capabilities such as attack discovery and attack source tracing within and outside the cloud. You can create honeypots in virtual private clouds (VPCs) and servers that are protected by Security Center. This protects the servers from attacks that are launched within and outside the cloud and reinforces the security of the servers.
Traditional defense methods are used to defend against attacks. However, the traditional methods have limits when attacks have the following characteristics: diversification, concealment, and complexity. For example, traditional security services based on the libraries of attack rules and attack characteristics can hardly detect APT attacks that are launched by exploiting zero-day vulnerabilities. If servers are attacked, security O&M engineers can only handle the issues caused by the attacks, but the engineers cannot prevent attackers from intruding into internal networks and launching attacks. Companies need to proactively defend against attacks, and take measures to defend their services against attackers and protect data.
A honeypot is a system used to attract attackers. The honeypot simulates one or more hosts and services that are vulnerable to attacks and disguises them as business applications. This lures attackers to attack the disguised hosts and services. Honeypots do not provide services for users. Therefore, all connection attempts on honeypots are considered suspicious. Attackers are lured to attack honeypots, which delays the attacks on real targets. This allows you to obtain information about the attackers. You can use the information to improve your defense against attacks. This way, you can protect your business systems.
How cloud honeypot works
Compared with traditional defense methods, honeypots can proactively defend against attacks. However, traditional honeypots are less deceptive and cannot be used for all scenarios. Traditional honeypots provide a limited number of honeypots types and have high costs. To resolve the issues of traditional defense methods and traditional honeypots, the cloud honeypot feature of Security Center is launched.
Cloud honeypot provides the following features:
Cloud-native VPC probes
The cloud honeypot feature redirects traffic destined for IP addresses that are unreachable in VPCs to VPC probes. Then, the VPC probes forward traffic to honeypots based on the traffic forwarding rules that are configured for the VPC probes.
Common host probes
The cloud honeypot feature allows you to install a host probe on your host on which your workloads are deployed. The host probe is used to forward traffic. After you install the host probe on your host, resource consumption on the host does not significantly increase, and your applications are not affected. Host probes are secure and stable, which can be installed on common hardware and operating systems.
Various types of honeypots
The cloud honeypot feature supports high- and low-interaction honeypots. Low-interaction honeypots support all ports. High-interaction honeypots provide various types of built-in honeypots that are vulnerable to attacks. The built-in honeypots include web honeypots, database honeypots, system service honeypots, special defect honeypots, and custom honeypots.
The cloud honeypot feature allows you to create a custom honeypot based on Docker to implement high-level business simulation.
You can use both VPC probes and host probes. This allows you to protect a large number of IP addresses at low costs of IP addresses and computing resources. You can deploy various types of built-in honeypots and custom honeypots as a honeypot cluster. The honeypot cluster is highly deceptive.
Security services can cause stability issues and security risks. To prevent these issues, the cloud honeypot feature is designed to deliver honeypot-related capabilities, ensure high stability and high security, and consume a small number of host resources.
Impacts on performance
Impacts of VPC probes
VPC probes do not consume host resources or network resources.
Impacts of host probes
Host probes forward only unusual traffic on ports and consume a small number of system resources.
Impacts on stability
Impacts of VPC probes
VPC probes can simulate interaction with scan traffic. If you use asset detection software that initiates scans, false positives may be reported.
Impacts of host probes
Host probes occupy ports on hosts. You must properly allocate host ports for host probes.
Impacts on security
Security assurance of host probes
Host probes are controlled by their management nodes. The management nodes can control only the traffic forwarding rules of host probes. Even if management nodes are compromised, attackers cannot use the management nodes to control hosts by using the host probes controlled by the management nodes.
Security assurance of honeypot escape prevention
Each user can create a unique honeypot cluster in which Docker escape detection is provided by default.
Security assurance of networks
Network isolation is implemented. The network of users cannot be attacked over the communication path between honeypots and probes even if a honeypot cluster is compromised.
The cloud honeypot feature is supported in network environments such as Alibaba Cloud, third-party clouds, and data centers.
In Alibaba Cloud, VPC probes that are developed by the Security Center team and the network team can redirect traffic destined for IP addresses that are unreachable in VPCs to honeypots. This achieves low cost and delivers high-coverage honeypot capabilities.
In an environment other than Alibaba Cloud, the cloud honeypot feature allows you to use host probes that consume a small number of host resources and are secure for traffic redirection. Host probes can redirect unusual traffic to the backend honeypot cluster.
Host probes can be installed only on the servers that are displayed in the Assets module in the Security Center console and are protected by Security Center.
VPC probes can be installed on the VPCs in the following regions:
China (Hong Kong)
US (Silicon Valley)
Feature descriptions in different versions
If you enabled the cloud honeypot feature before April 20, 2022, the cloud honeypot feature that you use is in public preview. The cloud honeypot feature was officially released on April 20, 2022. You can purchase and enable the official version of the feature in the Security Center console.
The public preview for the cloud honeypot feature is scheduled to end soon. If you want to continue using the feature, we recommend that you purchase and enable the official version of the feature.
When the cloud honeypot feature was in public preview, Public Preview was displayed for the feature. If you did not use the cloud honeypot feature during the public preview, you can purchase and enable the official version of the feature.
The following table describes the differences between the versions.
Traffic forwarding method
Detection of lateral movement intrusions on a VPC.
A free trial is provided during the public preview.
The following capabilities are provided in Alibaba Cloud, third-party clouds, and data centers:
You are charged for the official version of the feature. For more information about the pricing, see Pricing.
If you use the cloud honeypot feature in public preview, you cannot directly update the feature to the official version of the feature. You cannot use the data and capabilities of the feature in public preview and the data and capabilities of the official version of the feature at the same time. The data of the feature in public preview is not retained when you purchase the official version of the feature. Therefore, you must configure the data and capabilities of the official version of the feature. You can use the official version of the feature only after you complete the payment for the official version.
If you want to use the official version of the cloud honeypot feature,you must delete all honeypots that are created when you used the feature in public preview. After you delete the honeypots, you can click Enable High-interaction Honeypot in the upper-right corner of the Cloud Honeypot page to purchase the official version of the cloud honeypot feature. For more information about how to purchase the official version of the cloud honeypot feature, see Purchase the cloud honeypot feature.
If you want to continue using the capabilities of the cloud honeypot feature in public preview, see Use the cloud honeypot feature (public preview).