Dynamic Port Honeypot Overview
What is Dynamic Port Honeypot?
Dynamic port honeypots are used for proactive defense. We use real ports as honeypots to lure attackers. In the defense against lateral movement, this function can detect attackers' scanning, identify compromised servers, and protect your real resources.
You can enable the dynamic port honeypot using recommended ports or user-defined ports to deceive compromised servers and reduce the risk of resources intrusion.
What Is a Honeypot Port?
A honeypot port is a real port on your server, open but not bound to your workloads. Such ports are connected to the honeypot system to record attack behaviors, tools, accessed paths, and intentions, providing data for security analysis. They serve as an important means of luring attackers and collecting intelligence for proactive defense.
Note that honeypot ports are only bound to specific servers, and the scope of protection and luring is limited to the intranet of those servers.
Principles of Dynamic Port Honeypot Protection
Figure 1 shows the principles of dynamic port honeypot protection. The process is as follows:
- Create a protection policy.
Select a server (for example, server A) to be protected and set a honeypot port for the server. The port should look like a common service port but not be bound to your workloads. The HSS cloud protection center will send protection policies to the agent on server A to initialize the protection.
- Listen to the honeypot port.
The agent on server A starts listening on the honeypot port in real time based on the policies. It checks for external connection requests on the honeypot port and identifies attacker scans or connections. This does not affect your real service ports.
- Detect connections to the honeypot port.
If an attacker intrudes into a server over the intranet, scans the network, and attempts to connect to the honeypot port of server A, this action will trigger agent listening on server A. HSS will record and reject the connection request so that the honeypot port will not be exploited.
- Report protection events.
The agent of server A rejects the connection request and reports it to the HSS cloud protection center in real time, generating an alarm.
- Handle alarms.
The HSS cloud protection center displays the alarm event in the protection event list. You can check for compromised servers on the intranet based on the honeypot port protection events and other events, and take targeted measures to block intrusions.
Application Scenarios of Dynamic Port Honeypot
Unlike traditional security technologies that focus on defense, dynamic port honeypot proactively lures attackers in the intranet. It not only detects compromised servers in a timely manner, but also deceives and delays attackers.
How Do I Use Dynamic Port Honeypot?
|
No. |
Operation |
Description |
|---|---|---|
|
1 |
Configure the honeypot port, the source IP address whitelist, and associated servers. (Only the servers not bound to any EIPs are supported.) |
|
|
2 |
The dynamic port honeypot function reports an alarm when a potentially compromised server proactively connects to a honeypot port. You can handle the alarm as needed. |
Constraints
- Dynamic port honeypots apply only to servers that are not bound to EIPs.
- Dynamic port honeypots are available only in HSS premium, web tamper protection, and container editions. For details about how to purchase and upgrade HSS, see Purchasing an HSS Quota and Upgrading a Protection Quota.
- To use the dynamic port honeypots, ensure that the agent installed on the server falls within the following ranges. For more information, see Upgrading the Agent.
- Linux: 3.2.10 or later.
- Windows: 4.0.22 or later.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
