< Home

deception decoy-network

Function

The deception decoy-network command sets a decoy network segment.

The undo deception decoy-network command deletes a decoy network segment.

Format

deception decoy-network [ id id-number ] destination ip-address [ mask ] [ destination-port port &<1-20> ] [ vpn-instance vpn-instance-name ]

undo deception decoy-network { all | id id-number }

Parameters

Parameter Description Value

id id-number

Specifies the ID of a decoy network segment.

The value is an integer ranging from 1 to 50.

destination ip-address

Specifies the IP address of the decoy network segment.

The value is in dotted decimal notation.

mask

Specifies the mask of the decoy network segment.

The value is in dotted decimal notation.

destination-port port

Specifies the destination port of the decoy network segment.

The value is an integer ranging from 1 to 65535.

vpn-instance vpn-instance-name

Specifies the VPN instance of the IP address.

The VPN instance must be an existing one on the device.

The deception view of virtual systems does not support this parameter.

all

Indicates all decoy network segments.

-

Views

Deception view

Default Level

2: Configuration level

Usage Guidelines

By default, there is no decoy network segment.

After a decoy network segment is set, the DecoySensor does not check whether the IP addresses in this network segment are online. Once ARP scanning or TCP port scanning occurs on any IP address in this network segment, the DecoySensor immediately deceives the traffic to the decoy for further detection.

If destination-port port is specified along with an IP address, ARP scanning on the address or scanning on the port will trigger deception.

Network administrators can configure unused IP addresses as decoy network segments. Once hackers scan these IP addresses, they will be lured to the decoy.

The deception whitelist takes precedence over decoy network segments:
  • If an IP address is in both the deception destination IP address whitelist and decoy network segment, the DecoySensor ignores ARP scanning and TCP port scanning on the IP address and does not deceive the traffic destined for the IP address.
  • If scanning is initiated by a whitelisted address and the scanned IP address is in a decoy network segment, the DecoySensor does not deceive the traffic.

Before deleting a decoy network segment, you can run the display deception decoy-network command or run the display this command in the deception view to view the ID of the decoy network segment.

A decoy network segment should not contain device management addresses or 0.0.0.0 (indicating the entire network). Otherwise, the devices cannot be remotely managed.

Example

# Configure 1.1.1.1 as a decoy network segment.

<FW> system-view
[FW] deception
[FW-deception] deception decoy-network id 1 destination 1.1.1.1
Parent Topic: Network Deception Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >