Cyber threat deception method and system, and forwarding device

What is claimed is: 1. A cyber threat deception method, comprising: obtaining, by a forwarding device, a deception target set, wherein the deception target set comprises at least one deception target, and the at least one deception target comprises an unused internet protocol (IP) address or an unopened port number on a used IP address, wherein the obtaining the deception target set comprises: receiving a third IP packet; querying, by the forwarding device based on a destination IP address of the third IP packet, a routing table of the forwarding device for a next-hop IP address corresponding to the third IP packet; and when no next-hop IP address corresponding to the third IP packet is in the routing table, adding, by the forwarding device to the deception target set, the destination IP address of the third IP packet as an unused IP address; receiving, by the forwarding device, a first IP packet from a first host; determining, by the forwarding device, whether a destination party that the first IP packet requests to access belongs to the deception target set; when the destination party that the first IP packet requests to access belongs to the deception target set, sending, by the forwarding device, the first IP packet to a honeypot management server; receiving, by the forwarding device, a second IP packet from the honeypot management server, wherein the second IP packet is a response packet of the first IP packet; and sending, by the forwarding device, the second IP packet to the first host. 2. The method according to claim 1 , further comprising: when no next-hop IP address corresponding to the third IP packet is in the routing table, sending, by the forwarding device, the third IP packet to the honeypot management server; and receiving, by the forwarding device from the honeypot management server, a response packet of the third IP packet, and forwarding the response packet. 3. The method according to claim 1 , further comprising: when a next-hop IP address corresponding to the third IP packet is in the routing table, querying, by the forwarding device, an Address Resolution Protocol (ARP) table for a media access control (MAC) address corresponding to the next-hop IP address; when no MAC address corresponding to the next-hop IP address is in the ARP table, determining, by the forwarding device, an online status of the destination IP address of the third IP packet based on an IP address status table, wherein the IP address status table is used to indicate online statuses one-to-one corresponding to a plurality of IP addresses within a range of at least one subnet connected to the forwarding device, and the online status is online or offline; and when no MAC address corresponding to the next-hop IP address is in the ARP table and the online status of the destination IP address of the third IP packet is offline, adding, by the forwarding device to the deception target set, the destination IP address of the third IP packet as an unused IP address. 4. The method according to claim 3 , further comprising: when no MAC address corresponding to the next-hop IP address is in the ARP table and the online status of the destination IP address of the third IP packet is offline, sending the third IP packet to the honeypot management server; and receiving, from the honeypot management server, a response packet of the third IP packet, and forwarding the response packet. 5. The method according to claim 3 , wherein the IP address status table is obtained by performing the following steps: sending, by the forwarding device, an ARP request packet for each of the plurality of IP addresses within the range of the subnet connected to the forwarding device; and when the forwarding device does not receive an ARP reply packet of a first IP address, adding the first IP address to the IP address status table, wherein the first IP address is an IP address of the plurality of IP addresses; and setting a status of the first IP address to offline. 6. The method according to claim 5 , further comprising: receiving, by the forwarding device, an ARP reply packet of a second IP address, wherein the second IP address is an IP address of the plurality of IP addresses; adding the second IP address to the IP address status table; and setting a status of the second IP address to online. 7. The method according to claim 1 , wherein the obtaining the deception target set comprises: receiving, by the forwarding device, a fourth IP packet, wherein the fourth IP packet is a connection reset (RST) packet; determining whether the fourth IP packet satisfies a deception condition, wherein the deception condition comprises: before the fourth IP packet is received, at least one connection establishment (SYN) packet corresponding to the fourth IP packet is received, wherein a destination IP address of the SYN packet is same as a source IP address of the fourth IP packet, and a destination port number of the SYN packet is same as a source port number of the fourth IP packet; and when the fourth IP packet satisfies the deception condition, adding, by the forwarding device to the deception target set, the source port number of the fourth IP packet as an unopened port number on a used IP address, wherein the used IP address is the source IP address of the fourth IP packet. 8. The method according to claim 1 , wherein the obtaining the deception target set comprises: receiving, by the forwarding device, a fourth IP packet, wherein the fourth IP packet is a RST packet; determining whether the fourth IP packet satisfies a deception condition, wherein the deception condition comprises: at least one SYN packet corresponding to the fourth IP packet is received previous to a predetermined period of time that is before the fourth IP packet is received, and one or more packets that is or that are received within the predetermined period of time and that has or that have a same source IP address and a same source port number as the fourth IP packet is or are all RST packets or internet control message protocol (ICMP) unreachable packets, wherein a destination IP address of the SYN packet corresponding to the fourth IP packet is same as a source IP address of the fourth IP packet, and a destination port number of the SYN packet corresponding to the fourth IP packet is same as a source port number of the fourth IP packet; and when the fourth IP packet satisfies the deception condition, adding, by the forwarding device to the deception target set, the source port number of the fourth IP packet as an unopened port number on a used IP address, wherein the used IP address is the source IP address of the fourth IP packet. 9. The method according to claim 8 further comprising: when the fourth IP packet satisfies the deception condition, sending the SYN packet corresponding to the fourth IP packet to the honeypot management server; and receiving, from the honeypot management server, a response packet of the SYN packet, and forwarding the response packet of the SYN packet to the first host. 10. The method according to claim 1 , wherein the obtaining the deception target set comprises: receiving, by the forwarding device, a fourth IP packet, wherein the fourth IP packet is an ICMP unreachable packet; determining whether the fourth IP packet satisfies a deception condition, wherein the deception condition comprises: before the fourth IP packet is received, at least one user datagram protocol (UDP) packet corresponding to the fourth IP packet is received, wherein a destination IP address of the UDP packet is same as a source IP address of the fourth IP packet, and a destination port number of the UDP packet is same as a source port number of the f