Sweet Traps for Autonomous Bots.
Automated Threat Intelligence.

BallıBaba is an intelligent, multi-protocol honeypot framework engineered to mimic vulnerable enterprise endpoints. It lures malicious crawlers, captures aggressive brute-force activities, and instantly dispatches real-time abuse reports directly to AbuseIPDB to neutralize global cyber threats at their source.

Explore Guarded Protocols How It Reports

Framework Objective

Passive Decoy Net

Designed to consume zero production resources while maximizing catch rates for indiscriminate bot scanners.

Reporting Mechanism

AbuseIPDB API v2

Automated ingestion pipeline formats metadata (ports, payloads, frequencies) and pushes it immediately into the public blocklists.

Telemetry Focus

Zero False Positives

Since these endpoints serve no legitimate production traffic, 100% of interactions are classified as strictly malicious.

Guarded Attack Surfaces

BallıBaba deploys high-fidelity low/medium interaction listeners across the most targeted vertical protocols.

Port 22 Interactive Shell

SSH Trap

Simulates classic OpenSSH banners. Captures dictionary-based brute force credentials, client variants, and terminal command payloads.

Port 3389 Remote Desktop

RDP Trap

Mimics Windows Terminal Services initialization. Triggers on NLA handshakes and tracks continuous automated connection requests.

Port 5060 VoIP / Telephony

SIP Trap

Intercepts unauthenticated VoIP scanner traffic, auditing rogue `OPTIONS`, `INVITE`, and `REGISTER` request headers from telecom exploit kits.

Port 21 File Transfer

FTP Trap

Presents an outdated, seemingly misconfigured storage service banner. Logs anonymous authentication bypasses and malicious directory traversals.

💡 Also supports generic HTTP (80/8080) web path traps targeting vulnerable `.env`, admin dashboards, and configuration backlogs. Expandable via custom config yaml

The Threat Reporting Pipeline

From initial interaction to crowd-sourced blacklisting in milliseconds.

Intrusion Interception

A bot hits a designated BallıBaba trap port (e.g., executing an SSH brute force or scanning for an open proxy). The connection parameters are isolated immediately.

Payload Parsing & Validation

The core engine extracts the attacker's Source IP, Timestamp, targeted port, and structural signature (e.g., specific user credentials used). No production logs are altered.

AbuseIPDB Integration

An automated webhook standardizes the incident payload according to the AbuseIPDB categories (e.g., Category 18: Brute-Force, Category 14: Port Scan) and posts it seamlessly.

Verified Threat Intelligence Contributor

BallıBaba proudly contributes automated threat intelligence directly to AbuseIPDB, helping secure networks globally.

Sweet Traps for Autonomous Bots. Automated Threat Intelligence.