The cloud honeypot feature detects attacks and traces attack sources both inside and outside your cloud environment. You can deploy honeypots in virtual private clouds (VPCs) and on servers protected by Security Center to intercept attackers before they reach your real assets.
How it works
Cloud honeypot deploys decoy systems that mimic real business assets but serve no production purpose. Attackers are drawn to these decoys, which provides time to observe attacker behavior, collect intelligence, and strengthen your actual defenses. Because honeypots serve no legitimate business function, any connection attempt is treated as suspicious and triggers an alert.
Cloud honeypot uses two types of probes to redirect traffic to honeypots:
VPC probes — Traffic destined for unreachable IP addresses in your VPCs is automatically redirected to honeypots. VPC probes consume no host or network resources.
Host probes — Install a probe on a host where your workloads run. The probe forwards only unusual port traffic to the honeypot cluster, with minimal impact on the host and no effect on your applications.
Use VPC probes and host probes together to protect a large number of IP addresses at low cost.
Key concepts
| Concept | Description |
| VPC probe | A cloud-native component that redirects traffic destined for unreachable VPC IP addresses to honeypots. Consumes no host or network resources. |
| Host probe | A lightweight agent installed on a production host. Forwards unusual traffic to the honeypot cluster with minimal resource usage and no effect on application performance. Supports most common hardware and operating systems. |
| Low-interaction honeypot | A simulated service that listens on all ports and logs connection attempts. Lower fidelity but fast to deploy and scalable. Choose this type for broad coverage at low cost. |
| High-interaction honeypot | A full emulation of a vulnerable host or service. Covers web applications, databases, system services, special defects, and custom service types. Higher fidelity, providing richer attacker behavior data. Choose this type when you need detailed intelligence on attacker techniques. |
| Honeypot cluster | A group of built-in and custom honeypots deployed together. Increases deception coverage and makes it harder for attackers to distinguish honeypots from real assets. |
| Custom honeypot | A container-based honeypot you build to simulate your specific business environment. Supports high-fidelity business simulation. |
| Docker escape detection | Built into every honeypot cluster by default. Detects attempts by attackers to break out of the container environment. |
| Management node | Controls the traffic forwarding rules of host probes. Even if a management node is compromised, attackers cannot use it to control the underlying host through the probe. |
Supported environments
| Environment | Probe type | Notes |
| Alibaba Cloud | VPC probes | No agents required. Covers unreachable VPC IP addresses with no host resource cost. |
| Third-party clouds | Host probes | Requires agent installation on each host. Supports most common hardware and operating systems. |
| Data centers | Host probes | Requires agent installation on each host. Supports most common hardware and operating systems. |
Usage notes
Performance and stability
| Component | Performance impact | Stability impact |
| VPC probe | No host or network resource consumption. | Simulates interaction with scan traffic. Asset detection software that initiates scans may report false positives. |
| Host probe | Forwards only unusual port traffic. Minimal system resource usage. | Occupies ports on the host. Allocate host ports carefully before deployment to avoid conflicts with your production workloads. |
Security
Network isolation is enforced between honeypots and probes. Even if the honeypot cluster is compromised, attackers cannot reach your production network through the honeypot-to-probe communication path.
Each user gets a dedicated honeypot cluster with Docker escape detection enabled by default.
Limitations
Host probes
Host probes can only be installed on servers that appear in the Assets module of the Security Center console and are protected by Security Center.
VPC probes
VPC probes are supported in the following regions:
China: China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong)
Outside China: Japan (Tokyo), Singapore, Indonesia (Jakarta), US (Virginia), US (Silicon Valley), UK (London), UAE (Dubai), Germany (Frankfurt)