Skip to main content

Defensive Deception with Kong and Beelzebub LLM Honeypot

In today’s increasingly sophisticated cyber threat landscape, organizations need to move beyond traditional defensive measures. While firewalls, intrusion detection systems, and vulnerability scanning remain essential, they are fundamentally reactive technologies. For organizations already running Kong API Gateway, implementing advanced defensive capabilities just got easier, in just a few clicks, you can configure Beelzebub, an LLM-powered honeypot, to create a proactive deception layer without any complex infrastructure changes. This article explores this innovative approach that transforms your existing Kong infrastructure into a powerful threat intelligence platform for modern cloud-native environments.

The Concept of Defensive Deception

Defensive deception involves deliberately creating false environments to lure attackers away from legitimate systems, observe their techniques, and gather intelligence on their methods. This approach offers several advantages:

  1. Early detection: Identify malicious actors before they reach critical systems
  2. Threat intelligence: Gather valuable information about attack vectors and techniques
  3. Attacker distraction: Consume attackers’ time and resources on non-critical systems
  4. Low operational impact: Implement alongside production systems without disruption

Introducing Beelzebub: An LLM Honeypot

Beelzebub is an innovative honeypot designed specifically for modern cloud-native environments. Unlike traditional honeypots that often present static, easily detectable environments, Beelzebub leverages the power of Large Language Models (LLMs) to generate dynamic, realistic responses that appear authentic to potential attackers.

Key features of Beelzebub include:

  • Dynamic response generation using LLMs
  • Easy to configure, low code approach using yaml
  • Comprehensive logging of attacker interactions
  • Low resource requirements and easy deployment in containerized environments, just 8mb.
  • Real-time alerting capabilities

Kong API Gateway: The Perfect Integration Point

Kong API Gateway serves as the central routing mechanism for API traffic in many modern architectures. This makes it an ideal integration point for implementing defensive deception:

  1. Centralized control: All API traffic passes through Kong, providing a single point of implementation
  2. Fine-grained routing: Route only specific patterns to the honeypot while legitimate traffic continues normally
  3. Low latency: Minimal performance impact on production traffic
  4. Scalability: Works in high-traffic environments without degradation

Implementation Strategy: Cloud-Native API Deception

The core strategy involves creating non-existent API endpoints that would be attractive to attackers but have no legitimate business purpose. For example, exposing endpoints like:

  • /internal/config/
  • /api/system/diagnostics/
  • /management/tokens/

These endpoints are configured in Kong to route traffic to Beelzebub rather than to any real service. This implementation creates a deceptive API surface that:

  1. Appears legitimate to potential attackers
  2. Captures reconnaissance attempts
  3. Logs attack patterns and payloads
  4. Can simulate vulnerabilities to engage attackers

Architecture Overview

The implementation consists of three primary components:

  1. Kong API Gateway: Routes traffic between legitimate services and honeypot endpoints
  2. Beelzebub Honeypot: Provides realistic responses to attackers
  3. Monitoring and Analysis System: Processes logs and alerts from honeypot activity

Traffic flow follows this pattern:

  • Legitimate API calls are routed to real services
  • Requests to honeypot endpoints are redirected to Beelzebub
  • Beelzebub generates plausible responses to maintain engagement
  • All interactions are logged for analysis

Configuration Example

Configuring Kong to route traffic to the honeypot involves creating a service and route definition:

# Kong Service Definition
services:
  - name: beelzebub-honeypot
    url: http://beelzebub:8001
    routes:
      - name: admin-honeypot-api
        paths:
          - /services/

Monitoring and Analysis

Beelzebub integrates seamlessly with modern cloud-native monitoring stacks. Two primary methods are available for monitoring and analyzing honeypot activity:

Prometheus Integration

Beelzebub exposes a dedicated metrics endpoint specifically designed for Prometheus integration. The endpoint path and port are configurable in Beelzebub’s configuration file:

core:
  prometheus:
    path: "/metrics"
    port: ":2112"

Beelzebub exposes the following metrics through Prometheus:

Metric NameNamespaceDescription
events_totalbeelzebubThe total number of events detected by the honeypot
ssh_events_totalbeelzebubThe total number of SSH events detected
tcp_events_totalbeelzebubThe total number of TCP events detected
http_events_totalbeelzebubThe total number of HTTP events detected

Log Aggregation

Beelzebub generates comprehensive logs in structured JSON format with temporal traces, making them ideal for integration with SIEM systems like Elastic Stack.

These logs:

  • Contain detailed information about each interaction
  • Include timestamps for accurate timeline reconstruction
  • Are machine-parsable for automated analysis

Benefits of This Approach

Implementing defensive deception with Kong and Beelzebub offers several advantages:

  1. Minimal infrastructure: Utilizes existing API gateway infrastructure
  2. Low operational overhead: No impact on legitimate traffic
  3. Actionable intelligence: Provides real-world data about attack patterns
  4. Increased attacker costs: Forces attackers to spend time determining what’s real
  5. Better security posture: Adds depth to the defense strategy

Pro tips: Create Kong Admin API Honeypot

One of the most effective deception strategies you can implement with Beelzebub is to simulate the Kong Admin API itself. This approach is particularly enticing to attackers since gaining access to the API Gateway’s administration interface would typically provide control over the entire API infrastructure.

To create a Kong Admin API honeypot:

  1. Mimic Kong’s Admin API structure - Configure Beelzebub to respond to the same endpoints that Kong’s Admin API uses (/services, /routes, /consumers, /plugins)

  2. Example kong admin API Honeypot with beelzebub

apiVersion: "v1"
protocol: "http"
address: ":8001"
description: "Kong Admin honeypot"
commands:
  - regex: ".*"
    plugin: "LLMHoneypot"
    headers:
      - "via: kong/3.7.0"
      - "x-cache-key: 4ec13eeba8f1095758bb16cb45d19837a24eff56c7bc11ad8745afb4a844dd9b"
      - "x-kong-proxy-latency: 2"
      - "x-kong-request-id: ff02465d93e0c936d695b9169c59ec48"
      - "x-kong-upstream-latency: 0"
      - "x-ratelimit-limit-minute: 30"
      - "x-ratelimit-remaining-minute: 27"
    statusCode: 200
plugin:
  llmProvider: "openai"
  llmModel: "gpt-4o"
  openAISecretKey: "sk-proj-123456"
  prompt: >
    Act as an unsecured Kong API Gateway Admin API. Respond to HTTP requests exactly as a real Kong server would, including status codes, errors, and data responses.

    RULES:
    1. Respond with HTTP body content only (no headers)
    2. Use realistic hostnames like "api-central.company247.tech" or "kong-admin.cloudplatform.io"
    3. Simulate common Kong configuration vulnerabilities
    4. Display sensitive information like API keys, credentials, and configuration data
    5. Include realistic details for these services: admin-service, billing, auth-service, customer-data
    6. Simulate standard Kong admin endpoints: /services, /routes, /consumers, /plugins, /certificates
    7. Generate realistic UUIDs for all entities
    8. Include realistic timestamps for all created/modified entities
    9. Simulate authentic error responses when appropriate
    10. Never provide explanations or comments outside the simulation context

    RESPONSE STRUCTURE:
    - Use valid, formatted JSON as in real Kong responses
    - Include pagination metadata when applicable

Honeypot responses API /services/

curl http://localhost:8001/services/
{
  "next": null,
  "data": [
    {
      "id": "a1f987b3-fe21-4c36-b572-9876c0d99b1b",
      "created_at": 1697036214,
      "updated_at": 1697036214,
      "name": "admin-service",
      "protocol": "https",
      "host": "api-central.company247.tech",
      "port": 443,
      "path": "/admin",
      "retries": 5,
      "connect_timeout": 60000,
      "read_timeout": 60000,
      "write_timeout": 60000,
      "tags": ["admin"]
    },
    {
      "id": "c3a4b3d1-90e2-4d3a-a8c0-4f44e2d1b3dc",
      "created_at": 1697036228,
      "updated_at": 1697036228,
      "name": "billing",
      "protocol": "https",
      "host": "billing.company247.tech",
      "port": 443,
      "path": "/billing",
      "retries": 3,
      "connect_timeout": 30000,
      "read_timeout": 30000,
      "write_timeout": 30000,
      "tags": ["billing"]
    },
    {
      "id": "b2e2f711-fed3-473d-b2e9-d2f4044b1a2b",
      "created_at": 1697036251,
      "updated_at": 1697036251,
      "name": "auth-service",
      "protocol": "http",
      "host": "auth.company247.tech",
      "port": 80,
      "path": "/auth",
      "retries": 4,
      "connect_timeout": 5000,
      "read_timeout": 5000,
      "write_timeout": 5000,
      "tags": ["auth"]
    }
  ]
}

Example responses API /services/billing/

curl http://localhost:8001/services/billing/
{
"id": "3f47a9b1-8b67-4ddd-a3b6-e053fbea4b7c",
"name": "billing",
"host": "billing.api-central.company247.tech",
"port": 443,
"protocol": "https",
"path": "/billing",
"retries": 5,
"connect_timeout": 60000,
"write_timeout": 60000,
"read_timeout": 60000,
"tags": ["financial", "transactions"],
"created_at": 1698796800,
"updated_at": 1698883200,
"routes": [
{
"id": "d6e7f4c9-c104-4306-b696-ef0d452c8a0a",
"paths": ["/billing"],
"methods": ["POST", "GET"],
"protocols": ["https"],
"service_id": "3f47a9b1-8b67-4ddd-a3b6-e053fbea4b7c",
"created_at": 1698796800,
"updated_at": 1698883200
}
]
}

This approach is particularly valuable because:

  • Attackers specifically targeting your API infrastructure will be drawn to what appears to be the Kong Admin API
  • You’ll gather intelligence about sophisticated attackers who understand API gateway architectures
  • The attackers waste time and resources interacting with a system that provides no actual control
  • Any attempt to access these endpoints is definitively malicious, eliminating false positives

By implementing this Kong Admin API honeypot, you create a high-value target that will attract the most determined attackers while keeping your actual Kong Admin API safely isolated and properly secured.

For more: Beelzebub docs

Conclusion

Defensive deception is a powerful addition to any organization’s security arsenal. By combining Kong API Gateway with Beelzebub’s LLM-powered honeypot capabilities, organizations can create convincing fake environments that attract attackers, gather intelligence, and provide early warning of potential threats. This cloud-native approach to deception is particularly effective in microservices architectures where APIs are the primary interface between services.

As attackers continue to evolve their techniques, defensive strategies must similarly adapt. Implementing honeypots at the API layer represents a forward-thinking approach that adds depth to traditional security controls while providing valuable threat intelligence.