All Products
Search

This Product

    Security Center:Overview

    Document Center

    Security Center:Overview

    Last Updated:Jun 09, 2023

    The cloud honeypot feature provides capabilities such as attack discovery and attack source tracing within and outside the cloud. You can create honeypots in virtual private clouds (VPCs) and servers that are protected by Security Center. This protects the servers from attacks that are launched within and outside the cloud and reinforces the security of the servers.

    Background information

    Traditional defense methods are used to defend against attacks. However, the traditional methods have limits when attacks have the following characteristics: diversification, concealment, and complexity. For example, traditional security services based on the libraries of attack rules and attack characteristics can hardly detect APT attacks that are launched by exploiting zero-day vulnerabilities. If servers are attacked, security O&M engineers can only handle the issues caused by the attacks, but the engineers cannot prevent attackers from intruding into internal networks and launching attacks. Companies need to proactively defend against attacks, and take measures to defend their services against attackers and protect data.

    A honeypot is a system used to attract attackers. The honeypot simulates one or more hosts and services that are vulnerable to attacks and disguises them as business applications. This lures attackers to attack the disguised hosts and services. Honeypots do not provide services for users. Therefore, all connection attempts on honeypots are considered suspicious. Attackers are lured to attack honeypots, which delays the attacks on real targets. This allows you to obtain information about the attackers. You can use the information to improve your defense against attacks. This way, you can protect your business systems.

    How cloud honeypot works

    Compared with traditional defense methods, honeypots can proactively defend against attacks. However, traditional honeypots are less deceptive and cannot be used for all scenarios. Traditional honeypots provide a limited number of honeypots types and have high costs. To resolve the issues of traditional defense methods and traditional honeypots, the cloud honeypot feature of Security Center is launched.

    Cloud honeypot provides the following features:

    • Cloud-native VPC probes

      The cloud honeypot feature redirects traffic destined for IP addresses that are unreachable in VPCs to VPC probes. Then, the VPC probes forward traffic to honeypots based on the traffic forwarding rules that are configured for the VPC probes.

    • Common host probes

      The cloud honeypot feature allows you to install a host probe on your host on which your workloads are deployed. The host probe is used to forward traffic. After you install the host probe on your host, resource consumption on the host does not significantly increase, and your applications are not affected. Host probes are secure and stable, which can be installed on common hardware and operating systems.

    • Various types of honeypots

      The cloud honeypot feature supports high- and low-interaction honeypots. Low-interaction honeypots support all ports. High-interaction honeypots provide various types of built-in honeypots that are vulnerable to attacks. The built-in honeypots include web honeypots, database honeypots, system service honeypots, special defect honeypots, and custom honeypots.

    • Custom honeypots

      The cloud honeypot feature allows you to create a custom honeypot based on Docker to implement high-level business simulation.

    You can use both VPC probes and host probes. This allows you to protect a large number of IP addresses at low costs of IP addresses and computing resources. You can deploy various types of built-in honeypots and custom honeypots as a honeypot cluster. The honeypot cluster is highly deceptive.

    Impacts

    Security services can cause stability issues and security risks. To prevent these issues, the cloud honeypot feature is designed to deliver honeypot-related capabilities, ensure high stability and high security, and consume a small number of host resources.

    Impacts on performance

    • Impacts of VPC probes

      VPC probes do not consume host resources or network resources.

    • Impacts of host probes

      Host probes forward only unusual traffic on ports and consume a small number of system resources.

    Impacts on stability

    • Impacts of VPC probes

      VPC probes can simulate interaction with scan traffic. If you use asset detection software that initiates scans, false positives may be reported.

    • Impacts of host probes

      Host probes occupy ports on hosts. You must properly allocate host ports for host probes.

    Impacts on security

    • Security assurance of host probes

      Host probes are controlled by their management nodes. The management nodes can control only the traffic forwarding rules of host probes. Even if management nodes are compromised, attackers cannot use the management nodes to control hosts by using the host probes controlled by the management nodes.

    • Security assurance of honeypot escape prevention

      Each user can create a unique honeypot cluster in which Docker escape detection is provided by default.

    • Security assurance of networks

      Network isolation is implemented. The network of users cannot be attacked over the communication path between honeypots and probes even if a honeypot cluster is compromised.

    Network environments

    The cloud honeypot feature is supported in network environments such as Alibaba Cloud, third-party clouds, and data centers.

    • In Alibaba Cloud, VPC probes that are developed by the Security Center team and the network team can redirect traffic destined for IP addresses that are unreachable in VPCs to honeypots. This achieves low cost and delivers high-coverage honeypot capabilities.

    • In an environment other than Alibaba Cloud, the cloud honeypot feature allows you to use host probes that consume a small number of host resources and are secure for traffic redirection. Host probes can redirect unusual traffic to the backend honeypot cluster.

    Limits

    Host probes

    Host probes can be installed only on the servers that are displayed in the Assets module in the Security Center console and are protected by Security Center.

    VPC probes

    VPC probes can be installed on the VPCs in the following regions:

    • China (Qingdao)

    • China (Beijing)

    • China (Zhangjiakou)

    • China (Hohhot)

    • China (Ulanqab)

    • China (Hangzhou)

    • China (Shanghai)

    • China (Shenzhen)

    • China (Heyuan)

    • China (Guangzhou)

    • China (Chengdu)

    • China (Hong Kong)

    • Japan (Tokyo)

    • Singapore (Singapore)

    • Australia (Sydney)

    • Indonesia (Jakarta)

    • India (Mumbai)

    • US (Virginia)

    • US (Silicon Valley)

    • UK (London)

    • UAE (Dubai)

    • Germany (Frankfurt)

    Feature descriptions in different versions

    If you enabled the cloud honeypot feature before April 20, 2022, the cloud honeypot feature that you use is in public preview. The cloud honeypot feature was officially released on April 20, 2022. You can purchase and enable the official version of the feature in the Security Center console.

    The public preview for the cloud honeypot feature is scheduled to end soon. If you want to continue using the feature, we recommend that you purchase and enable the official version of the feature.

    Note

    When the cloud honeypot feature was in public preview, Public Preview was displayed for the feature. If you did not use the cloud honeypot feature during the public preview, you can purchase and enable the official version of the feature.

    The following table describes the differences between the versions.

    Version

    Scenario

    Honeypot type

    Traffic forwarding method

    Pricing

    Public preview

    Detection of lateral movement intrusions on a VPC.

    Low-interaction honeypots

    VPC probes

    A free trial is provided during the public preview.

    Official version

    The following capabilities are provided in Alibaba Cloud, third-party clouds, and data centers:

    • Detection of lateral movement intrusions on an internal network

    • Collection of threat intelligence over the Internet

    • Attack tracing and defense in attack and defense scenarios

    • Low-interaction honeypots

    • High-interaction honeypots

    • Custom honeypots

    • VPC probes

    • Host probes

    • Baits

    You are charged for the official version of the feature. For more information about the pricing, see Pricing.

    Usage notes

    If you use the cloud honeypot feature in public preview, you cannot directly update the feature to the official version of the feature. You cannot use the data and capabilities of the feature in public preview and the data and capabilities of the official version of the feature at the same time. The data of the feature in public preview is not retained when you purchase the official version of the feature. Therefore, you must configure the data and capabilities of the official version of the feature. You can use the official version of the feature only after you complete the payment for the official version.

    • If you want to use the official version of the cloud honeypot feature,you must delete all honeypots that are created when you used the feature in public preview. After you delete the honeypots, you can click Enable High-interaction Honeypot in the upper-right corner of the Cloud Honeypot page to purchase the official version of the cloud honeypot feature. For more information about how to purchase the official version of the cloud honeypot feature, see Purchase the cloud honeypot feature.

    • If you want to continue using the capabilities of the cloud honeypot feature in public preview, see Use the cloud honeypot feature (public preview).