We are getting more than 5k declined transactions in Braintree and when we checked the access log we found some IP’s hits the payment URL continuously.
Sample log:
40.112.177.35 - - [17/May/2020:07:33:15 -0500] “POST /payment-api/payment-information HTTP/1.1” 400 3987 “referer url here” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0”
We have analyzed the IP 40.112.177.35 and it is a trusted one https://ipinfo.io/ 40.112.177.35
We have checked the user agent “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0” and it also seems valid in https://developers.whatismybrowser.com/useragents/parse/#parse-useragent
Also, the attacker changed the IP constantly and the attacker used one IP for 500+ hits after that they changed the IP. As per the IP, attacker location is the United States and our selling area also United States. So we can’t block the attacker by IP, User-Agent and Country.
After that, we have used “Cloudflare rate limit” to block the IP which hits more than 4 times per minute, it is blocking correctly. But attacker hits the payment URL 10+ times before Cloudflare recognizes the rate limit blocking.
Note: As per our analysis of the access log file, attacker hits 5-7 times payment URL per minute. Here I only mentioned payment URL, similarly, they flooded more https request to other URLs as well.
is there a way to stop them completely?