A honeypot is a sacrificial target, acting as a decoy to lure attackers away from critical systems and learn what they'd do after gaining access. To accomplish this, the honeypot mechanism must be sophisticated enough to successfully pose as a real backend resource (such as an application or server). Honeypots are generally created to emulate high-value targets, such as databases containing personal identifiable information (PII), personal health information (PHI), or financials.
Meanwhile, a honeynet is a related mechanism consisting of multiple honeypots, effectively creating a dummy network of expendable resources.
These approaches help protect (or obfuscate) your real backend while wasting an attacker's time and resources—buying time for teams to neutralize the threat and prevent deeper intrusion. However, honeypots also represent an opportunity for organizations to gather information on an attacker's capabilities, tools, and origin. Honeynets are theoretically "better" for this since their larger footprint gives more attackers more time to explore. Honeypots and honeynets therefore help companies monitor trending threats, allowing them to act more proactively.
Finally, honeypots arm security teams with data needed to help harden systems. This influences updating, patching, and remediation procedures.
How do honeypots work?
Honeypotting typically involves an intermediary such as a load balancer, which receives incoming requests and evaluates their legitimacy. Instead of blocking suspicious clients outright, the system will direct them to the honeypot. The client isn't aware of this stealthy redirection (also called "shadow banning") . Multiple factors such as scoring, weighting, and others can impact where the load balancer sends attackers.
Not all honeypots are created equally. Here are some examples of honeypots and their advantages:
Network honeynets – Mentioned earlier, these impersonate a wider network by including numerous honeypots together. These keep attackers engaged longer and are more complex.
Malware honeypots – These draw malware attackers in by pretending to be apps or APIs. By revealing how a given malware program works, teams can counteract them more easily.
Database honeypots – These impersonate important databases that contain sensitive information. Fake databases can be good for sniffing out common attacks such as SQL injection. Database honeypots are also good for testing RBAC functionality.
Crawler honeypots – These are meant to attract crawlers and similar bots by deterring them with fake web pages.
Plus, not all honeypots are designed for heavy amounts of interaction. Some honeypots are "low-traffic" while others are "high traffic"—the latter group requiring more effort to design and implement. An organization's goals and the cost-benefit ratio of a given honeypot solution will determine how they're built.
Does HAProxy support honeypots?
Yes and no. Customers can use HAProxy Enterprise and the HAProxy Enterprise Bot Management Module to identify clients that HAProxy should direct to an existing honeypot. For simpler honeypots, you can use http-request return statements, though external setup is required for more convincing replicas. While no native honeypot feature is baked into the module, it's still possible to emulate honeypotting for app teams who've implemented supporting infrastructure.
With just a few lines of code, you can configure HAProxy to block and redirect suspicious traffic in a number of ways. To learn more about honeypotting in HAProxy, check out our guide on Bot Protection with HAProxy.
