Overview of Deception

Once hackers or malware programs intrude into a network, they usually scan east-west traffic to learn about the network structure and service openness. The deception technology helps detect threats in a timely manner. By responding to the requests of scanning offline IP addresses and unopened ports, this technology can deceive hackers to access a Decoy for in-depth interaction to understand their intentions and protect the service network.

Intranet Security Threats and Countermeasures

After a hacker intrudes into a network, the first step is usually to scan IP addresses and service ports on the network to identify attack or infection targets. Then, the hacker exploits system or software vulnerabilities to attack the targets by means of brute-force cracking or other methods.

Figure 1 Intranet scanning and attack behavior

The deception technology can be used to detect and defend against this behavior based on its characteristics. Figure 2 uses deception against attacks targeting nonexistent IP addresses and unopened ports as an example to show how to deceive and dispose of intranet threats. For details about the deception function, see DecoySensor Functions.

Figure 2 Deception and disposal of intranet threats

A hacker scans IP addresses and ports. The DecoySensor detects the scanning behavior, responds to the scanning requests for offline IP addresses and unopened ports, and deceives suspicious traffic to the Decoy for further check.
The hacker performs in-depth interaction with the Decoy. The Decoy records various application-layer attack methods of the hacker and reports the logs to the HiSec Insight collector.
The HiSec Insight analyzes the reported logs. If the HiSec Insight determines that an attack occurs, it generates an alarm and provides handling suggestions. Upon confirmation by the administrator, the HiSec Insight delivers the association policy to the SecoManager or Agile Controller.
The SecoManager or Agile Controller delivers the association command to the corresponding firewall or switch to cut off the connection with the attack source, protecting network services.

This part focuses on steps 1 and 2. Steps 3 and 4 involve the security association feature of the HiSec solution, which is not described here.

Deception Process and Components

The main functions of the deception system are to identify scanning behavior and lure suspicious traffic to the Decoy. The Decoy deeply interacts with the traffic source to further determine whether the behavior constitutes an attack.

The DecoySensor is responsible for scanning detection, network-layer deception, and traffic diversion. The Decoy provides in-depth interaction and behavior analysis. The lure is deployed in real hosts to assist in deception.

Figure 3 show the deception process of the deception system. Table 1 shows the components of the deception system.

Figure 3 Network-layer deception process

**Table 1** Components of the deception system
Component Name	Main Function	Deployment Mode
DecoySensor	Awareness of intranet scanning A large number of ARP requests, SYN connections, and DNS requests from the same source IP address are considered as scanning behavior. A DecoySensor records and analyzes the behavior. Deceiving attack behavior Once the scanning behavior is confirmed to be a high-risk attack (for example, the scanned IP address is not online, the port is not open, or the domain name does not exist), a response packet is constructed immediately, and the subsequent access is diverted to the trap through the internal channel. The Decoy performs further in-depth interactive detection. Network structure detection It can proactively detect the status of IP addresses on a subnet. Anti-conflict If there are multiple DecoySensors on a subnet, one of them is elected to detect IP address scanning to prevent conflicts.	DecoySensors can run on S series switches (for the models that support DecoySensors, see the switch product documentation), hardware firewalls (for the models that support DecoySensors, see the Limitations and Precautions for Deception), and software firewalls. No extra software is required. You only need to configure DecoySensors by running commands. Deployment requirements vary with scanned objects: To detect IP address scanning: The DecoySensor must have a Layer 3 interface IP address on the subnet to be detected. Switch: VLANIF and Super VLAN Firewall: VLANIF, Layer 3 Ethernet interface, Layer 3 Eth-Trunk interface, and subinterface To detect port scanning and DNS scanning: Scan packets and response packets must pass through the same DecoySensor. If a response packet is returned through another path, it cannot be determined whether the response packet is an attack behavior.
Decoy	Provides the SSH,HTTP,SMB,FTP,RDP,MYSQL,REDIS,MEMCACHE,SQLSERVER,MongoDB service for in-depth interaction with hackers, analyzes hacker behaviors, and identifies attack tools.	A third-party security device is called MoreSec Decoy.