One of the Rare Sites That Openly Lets You Attack It: dset.com.tr. Go Ahead, but Know That You Will Be Caught and Banned

Quick answer: Yes, you can scan dset.com.tr; we do not hide our attack surface. But know that every interesting looking corner of the site is a trap. An IP that touches a trap is banned for 1 year, both on the server and at the Cloudflare edge, on the first attempt. We can do this because security comes from resilience, not secrecy. This is not a challenge, it is a live showcase of tested layers.

Why we do not hide our attack surface

Most organizations treat security like a game of hide and seek: hide the panel, censor the version banner, hope nobody finds it. This approach is called security through obscurity, and serious security engineering has rejected it for a century. Obscurity is not a defense; it is just a curtain that delays discovery. When the curtain is drawn back and there is no real layer behind it, everything collapses.

At DSET we do the opposite. dset.com.tr is the website of a real cybersecurity company, and at the same time it is built like a live defense showcase. We deliberately left our attack surface visible, because a system whose every layer has been tested has nothing to hide. Whatever an attacker does, they face not a hidden vulnerability but a designed trap and a resilient defense.

We do not carry this confidence for nothing. Since 2003 we have worked in Ankara Hacettepe Teknokent Beytepe in cybersecurity, data recovery and digital forensics. If we turned our own site into a shield, we can turn yours into one too.

What happens when you step on a trap: 1 year ban on the first attempt

During reconnaissance, an attacker probes interesting paths with automated tools. The classic targets are well known: /.env, /.git, /wp-admin, /backup.zip, legacy admin panels, leftover backup files. On a normal site these paths either really exist or simply return a 404.

On dset.com.tr these paths are honeypots (cyber traps). They carry no real value; their only function is to instantly flag the IP that touches them. Because a legitimate visitor has no reason to request the /.env file or the /backup.zip archive. That request is intent itself.

Here is how it works:

  1. The attacker touches one of the trap paths.
  2. The request is instantly logged and treated as an intent signal.
  3. fail2ban catches that signal and bans the IP.
  4. Thanks to Cloudflare integration, the ban is enforced not only on the server but also at the Cloudflare edge.
  5. Result: that IP cannot reach the site for 1 year. On the first attempt.

This is not a tolerant system that says "try three times then think about it." There is nothing you can do by accident to trigger a trap; running a scanning tool is a deliberate act. Anyone who gets curious and runs a scanner will never see the site again.

The layers: WAF, honeypot, fail2ban, Cloudflare and more

The traps are the visible part of the iceberg. The real work lies in the layered defense underneath (defense in depth). Even if one layer is bypassed, another stands behind it.

Layer What it does Effect on the attacker
Cloudflare proxy All traffic behind Cloudflare, origin IP hidden The real server IP never leaks, cannot be targeted directly
Zero external ports Web and SSH only over Cloudflare Tunnel Direct port scanning gets no response
Honeypot paths Traps like /.env, /.git, /wp-admin Recon intent is exposed instantly
fail2ban + Cloudflare Bans the trap touching IP for 1 year on first try Persistent block at server and edge level
ModSecurity WAF Filters known attack signatures SQLi, XSS, path traversal attempts stop
Nonce based CSP No unauthorized script can run on the page Injected code does not execute in the browser
HSTS preload The browser is forced to use HTTPS Downgrade and interception become harder
SPF / DKIM / DMARC Blocks email spoofing No fake mail can be sent in DSET's name
AI assistant protection Resistant to jailbreak and prompt injection No malicious instruction passes to the AI

None of these layers claims to be sufficient on its own. The strength is in all of them stacked together. If an attacker bypasses the WAF they hit the CSP, if they beat the CSP they cannot find the origin, if they look for the origin they find no open port, and while scanning they step on a trap and get banned.

This is not a challenge, it is a showcase

We are not telling anyone "come break it if you can." The purpose of this article is not arrogance, it is transparency. The most honest advertisement a security company can give is to openly show how its own site is protected. Most firms sell security to their clients while their own site is defenseless. We do the opposite: our site is a working proof of the service we sell.

We apply the same discipline to our corporate clients. We build the same layered approach for topics like how to prevent internal cyber attacks, protection from ransomware and how to recognize phishing emails. And we do not explain why we keep data recovery and cybersecurity under one roof for nothing: a team that can recover data even when defenses fall knows what real resilience means.

Another reason it is a showcase is trust building. Instead of vague "you are safe" promises, we show measurable and verifiable layers. The philosophy of active defense and deception is built on tiring out the attacker, slowing them down and exposing their intent early. This is exactly the approach MITRE's Engage framework and the honeynet community have advocated for years.

Legal boundary and ethics

Let us be clear: our traps are purely defensive and stay within legal limits. Banning an IP is not harming it, it is closing the door to it. Our systems perform no counter attack (hack back); we only protect our own door.

For the other side, the situation is clear. In Turkey, unauthorized access and attempts to enter systems without permission are crimes under Articles 243, 244 and 245 of the Turkish Penal Code. Scanning a system without permission, searching for vulnerabilities and trying to break in are acts with legal consequences. The fact that dset.com.tr keeps its attack surface visible does not grant anyone permission to attack; on the contrary, it reminds you that if you try, you will be caught, and there is a legal price for it.

If you are a security researcher and want to share a finding, the right path is not to step on traps, but to contact us through the responsible disclosure channel. That is our open door. A trap for those who come with bad intent, a table for those who come in good faith.

Frequently Asked Questions (FAQ)

Are you really giving me permission to attack?

No, we are not inviting you to "attack." We are saying we do not hide our attack surface; that is a different thing. An unauthorized access attempt is a crime, and our traps exist precisely to catch it. Visibility does not mean permission.

Could I step on a trap by accident and get banned?

You will not experience this while browsing as a normal visitor. Trap paths (like /.env, /.git, /backup.zip) are paths a legitimate user would never request. You will not reach them by chance unless you run a scanning tool.

How long does the ban last and how is it lifted?

An IP that touches a trap is banned for 1 year, both on the server and at the Cloudflare edge. If you believe you are legitimate you can reach us through our contact channel; but for an IP running automated scans, the system decides on the first attempt and for a long duration.

Can someone find your origin IP and attack directly?

All traffic is behind Cloudflare and there are no externally open ports; web and SSH run only over Cloudflare Tunnel. Since the origin IP does not leak, direct targeting is practically impossible.

Would you build this setup for our company too?

Yes, this is our core business. We design and deploy the same layered active defense we showcase on our own site, tailored to your organization's needs. To get an assessment you can reach us at +90 536 662 38 09. Address: Hacettepe Teknokent, Beytepe, Cankaya, Ankara.

Sources