Using Honey Pages To Stop Website Scanners

Sep 14, 2021

Honey Pages ™ were invented by Turnstil.Cloud to help you monitor and analyze site scanner bots (although they are also excellent at stopping DDoS and Credential Stuffing attacks as outlined in this article: Using Honey Pages to Stop A DDoS / Credential Stuffing Attack []).

You’ve heard of a “honey pot” - a system on a website designed to catch bots so you can analyze their behaviour. A Honey Page is similar: when a bot hits a Honey Page URL (even if no actual page exists on your server) Turnstil. Cloud performs an action that you specify to control the activity of the bot.

Site scanners crawling the internet looking for known vulnerabilities in websites quickly get stuck in a Turnstil.Cloud Honey Page. Because scanner bots use lists of known vulnerabilities end points (for example wp-login.php, xmlrpc.php) to sequentially scan for holes in your website coding, they generate huge lists of 404s as they brainlessly hit pages on your website that don’t exist, generating huge trails of 404s as they go.

This activity is instantly recognizable in Turnstil.Cloud’s Traffic monitor, allowing you to easily set up Honey Page rules to catch and stop site scanners before they can find a hole in your coding. Once enabled, a Honey Page will continue to run in the background, catching and blocking new scanners as they come along. 

To set up a honey page in Turnstil.Cloud:

1. In the Traffic Monitor, identify a page that is being targeted by site scanners.

This will usually be a 404 page that you know isn’t active in your site map. Usually, the bot will generate a large list of these 404s, and you may notice over time that the lists used by scanning bots are largely the same, with 404s occurring in exactly the same order.

2. Copy the path and use it to create a Honey Page Rule in Turnstil.Cloud.

Be careful you don’t accidentally choose a page that actually exists on your server – Honey pages will challenge or block real users. It’s a good idea to actually visit the selected page both before you enable the Honey Page (to make sure it is generating a 404) and also after (to ensure the block is working). If you block yourself, visit Turnstil.Cloud’s Block List to unblock your IP address.

Note: Good bots like Google or Bing are protected by a whitelist and can’t be blocked by a Honey Page.

With the new Honey Page in place, you can sleep soundly at night knowing any bot that hits the page will be blocked, and unable to continue scanning through your website to look for vulnerabilities.