This section describes how a DecoySensor detects threats and deceives hackers, and how to configure a DecoySensor.
Function |
Threat Scenario |
Countermeasure and Principle |
Deployment Requirement |
Related Configuration |
|---|---|---|---|---|
Static deception |
Hackers scan IP addresses and port numbers of intranet service hosts. |
Set bait network segments and ports. The traffic generated for scanning of or any access to the IP addresses in a bait network segment is diverted to a Decoy. |
When IP address scanning traffic needs to be deceived, the DecoySensor must have a Layer 3 interface in the bait network segment. When traffic generated in other types of access needs to be deceived, the access traffic must pass through the DecoySensor. |
Set bait network segments and ports. deception decoy-network [ id id-number ] destination ip-address [ mask ] [ destination-port port &<1-20> ] [ vpn-instance vpn-instance-name ] Enable the deception function. deception enable |
Deception against attacks targeting nonexistent IP addresses |
Hackers send a large number of ARP packets to check the online status of service hosts on a network segment. |
When a DecoySensor receives a large number of ARP requests from the same source address and the request rate exceeds the threshold, the DecoySensor determines that it is a scanning behavior and records a log. If the DecoySensor detects that the requested destination address is not online, it sends an ARP request as this address to the attacker. The subsequent probe and attack traffic will be diverted to a Decoy. A DecoySensor also sends ARP requests to detect the online status of IP addresses on the network segment. |
The DecoySensor must have a Layer 3 interface in the bait network segment. |
Configure detected network segments. deception detect-network [ id id-number ] ip-address mask [ vpn-instance vpn-instance-name ] Set the IP address scanning rate threshold. The default threshold is 10 times every 10 seconds. Alternatively, configure the strict mode. The strict mode does not check whether the scanning rate reaches the threshold. If a scanned IP address does not exist, the device immediately deceives the traffic. deception arp-request rate rate-number deception mode strict Configure the rate of IP address scanning initiated by a DecoySensor. The default rate is 30 times per second. deception ip-state detect rate rate-number Enable the deception function. deception enable |
Deception against attacks targeting unopened ports |
Hackers send a large number of SYN packets and ping packets to detect services and networks. |
When a DecoySensor receives a large number of SYN packets from the same source address and the transmission rate of the packets exceeds the threshold, the DecoySensor determines that it is a scanning behavior and records a log. If the DecoySensor receives a response packet (RST-ACT or ICMP) from the service host that resides in the detected network segment and learns that the port is not open, the DecoySensor intercepts the response packet, constructs a SYN packet, and sends the SYN packet to the Decoy. Then the Decoy sends the response to the hacker and performs in-depth interactive detection. When a service host is busy, it responds with the RST-ACK packet even to normal TCP access. As a result, the DecoySensor incorrectly considers that the host port is not opened and deceives normal traffic. The DecoySensor records the port openness status based on the SYN-ACK packet returned by the service host and saves the record for 24 hours, until the record ages naturally or updated when a new SYN-ACK packet is generated. During this period, even if the DecoySensor receives the RST-ACK packet from the corresponding port, it does not deceive the traffic. |
The access traffic and response packets must pass through the DecoySensor. If the DecoySensor is not a gateway or is deployed in in-path mode on the access path, the detected traffic needs to be diverted to the DecoySensor. |
Configure detected network segments. deception detect-network [ id id-number ] ip-address mask [ vpn-instance vpn-instance-name ] Set the port scanning rate threshold. The default threshold is 100 times every 10 seconds. Alternatively, configure the strict mode. The strict mode does not check whether the scanning rate reaches the threshold. If a scanned port is not open, the device immediately deceives the traffic. deception syn-connect rate rate-number deception mode strict Enable the deception function. deception enable |
Route-Miss deception |
When a DecoySensor receives a large number of packets from the same source address and the transmission rate of the packets exceeds the threshold, the DecoySensor determines that it is a scanning behavior and records a log. When forwarding these packets, if the DecoySensor finds that the next hop of these packets does not exist in the routing table, it constructs response packets and sends them to the Decoy. Then the Decoy sends the response packets and performs further in-depth interactive detection. |
The access traffic must pass through the DecoySensor. |
Enable the Route-Miss deception function. deception fib-miss enable Other configurations are the same as those for deception against attacks targeting unopened ports. |
|
ARP-Miss deception |
When a DecoySensor receives a large number of packets from the same source address and the transmission rate of the packets exceeds the threshold, the DecoySensor determines that it is a scanning behavior and records a log. When forwarding these packets, the DecoySensor finds that the destination address of the packets is within the network segment of the DecoySensor interface. In this case, the DecoySensor queries the MAC address of the destination service host. If the DecoySensor finds that this destination MAC address does not exist in the ARP table, that is, the destination IP address is not online, the DecoySensor constructs response packets and sends them to the Decoy. Then the Decoy sends the response packets and performs further in-depth interactive detection. |
The access traffic must pass through the DecoySensor. |
Enable the ARP-Miss deception function. deception arp-miss enable Other configurations are the same as those for deception against attacks targeting unopened ports. |
|
Security-policy-deny deception (that is, deception based on packet discarding by security policies) |
When a DecoySensor receives a large number of packets from the same source address and the transmission rate of the packets exceeds the threshold, the DecoySensor determines that it is a scanning behavior and records a log. When forwarding these packets, the DecoySensor finds that the packets are blocked by security policies, constructs response packets, and sends the constructed packets to the Decoy. Then the Decoy sends the response packets and performs further in-depth interactive detection. |
The access traffic must pass through the DecoySensor. |
Enable the security-policy-deny deception function. deception security-policy-deny enable Other configurations are the same as those for deception against attacks targeting unopened ports. |
|
Deception against unknown domain name attacks |
Hackers send a large number of DNS requests to detect IP addresses of service hosts. |
When a DecoySensor receives a large number of DNS request packets from the same source address and the transmission rate of the packets exceeds the threshold, the DecoySensor determines that it is a scanning behavior and records a log. If the DecoySensor receives a response indicating that the domain name does not exist from the DNS server, the DecoySensor automatically constructs a DNS response packet. The IP address in the DNS reply packet is the IP address in the bait network segment and is in the same network segment as the source address used for sending the DNS request packet. The subsequent probe and attack traffic will be diverted to a Decoy. |
The DNS request and reply packets must pass through the DecoySensor. |
Set the threshold for domain name scanning. The default threshold is 5 times per second. Alternatively, configure the strict mode. The strict mode does not check whether the scanning rate reaches the threshold. If a scanned domain name does not exist, the device immediately deceives the traffic. deception dns-request rate rate-number deception mode strict Configure the bait network segment. deception decoy-network [ id id-number ] destination ip-address [ mask ] [ vpn-instance vpn-instance-name ] Enable deception against unknown domain name attacks. deception dns enable Enable the deception function. deception enable |
ACI deception |
Hackers have learned IP addresses and port numbers of service hosts and use actual IP addresses and port numbers to initiate SYN connections. |
ACI is an isolation scheme for controlling intranet communication through DNS access. After this function is enabled, the source or destination address in the detected network segment must be accessed through the domain name. If the IP address is directly accessed or the IP address that does not exist is accessed, traffic is deceived to the Decoy. The DecoySensor parses DNS response packets and establishes mappings between the source addresses of DNS request packets and the IP addresses corresponding to the domain names in DNS reply packets (that is, the ACI table). Subsequent TCP SYN packets and ICMP ping packets will match the ACI table. Traffic that fails to match the table is deceived to the Decoy for in-depth interactive detection. Set the ACI suffix. The default value is aci. An ACI suffix functions as an intranet access key. For example, if the IP address of the server in the detected network segment is 192.168.1.1, the server must be accessed through 192.168.1.1.aci if the default ACI suffix is used. If the IP address of the server is directly accessed or the IP address with an incorrect ACI suffix is accessed, traffic is deceived to the Decoy for in-depth interactive detection. |
The DNS request and reply packets must pass through the DecoySensor. The service access traffic must also passes through the DecoySensor. |
Set the ACI suffix. The default value is aci. deception aci suffix suffix-value # Set the aging time of ACI entries. The default aging time is 60s. deception aci timeout timeout-value Configure the policy after the ACI table is full. By default, the policy is permit. [ undo ] deception aci lack decoy Enable the ACI deception function. deception aci detect-network { id id-number | all } enable Enable the deception function. deception enable |