Why ProjectHoneyPot?

I’ve been monitoring this for several months now and I’m really curious as to why Cloudflare chooses ProjectHoneypot for reports on IP addresses when the database appears to be outdated with very little activity. Wouldn’t it be a better choice to use a more popular database like AbuseIPDB.Com?

For example, this IP attempted to hack one of our sites multiple times, Abuse IPDB gives these stats on this IP:
35.236.54.251 was found in our database!
This IP was reported 69 times. Confidence of Abuse is 100% :slight_smile:

But ProjectHoneyPot has this to say:

35.236.54.251

This IP addresses has been seen by at least one Honey Pot. However, none of its visits have resulted in any bad events yet. It’s possible that this IP is just a harmless web spider or Internet user. If you know something about this IP, please [leave a comment](https://www.projecthoneypot.org

|Spider First Seen|approximately 2 years, 3 weeks ago|
|Spider Last Seen|within 2 years, 3 weeks|
|Spider Sightings|1 visit(s)|
|User-Agents|seen with 1 user-agent(s)|

And this is just one example of hundreds.
:neutral_face:

ProjectHoneyPot is not seeing the activity that AbuseIPDB is or staying up to date with current activity, so why not switch. With an updated database connection like AbuseIPDB, these pesky IPs could automatically be blacklisted, resulting in better protection for thousands of websites.

Open to hearing other opinions or the reason behind staying with ProjectHP.

I don’t know for sure, it it could have something to do with Matthew Prince being a co-founder of both ProjectHoneyPot and Cloudflare.

4 Likes

Generally speaking we don’t blacklist IPs, we assign them a threat reputation score based on a variety of inputs. We have our own threat intelligence teams and tools as well. Looks like their tool can be integrated at the origin with tools like Fail2Bar which sounds like a nice option if you wanted to integrate with them. Or I suppose it could be done with a worker.

2 Likes

That would do it. :laughing:

True, true. We assign them a threat reputation. Blacklisting is wishful thinking on my part.

It would be nice, but IPv4 address space can be very unstable and shared address spaces (like universities or office buildings) can have an odd mixture of good and bad actors.

Bot fight mode is about the only place we have a ‘ban hammer’ approach customers can implement that doesn’t allow some nuance. It’s a pretty narrow (but effective) tool.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.