Need recommendation to block DDOS attack

We are getting more than 5k declined transactions in Braintree and when we checked the access log we found some IP’s hits the payment URL continuously.

Sample log: - - [17/May/2020:07:33:15 -0500] “POST /payment-api/payment-information HTTP/1.1” 400 3987 “referer url here” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0”

We have analyzed the IP and it is a trusted one

We have checked the user agent “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0” and it also seems valid in

Also, the attacker changed the IP constantly and the attacker used one IP for 500+ hits after that they changed the IP. As per the IP, attacker location is the United States and our selling area also United States. So we can’t block the attacker by IP, User-Agent and Country.

After that, we have used “Cloudflare rate limit” to block the IP which hits more than 4 times per minute, it is blocking correctly. But attacker hits the payment URL 10+ times before Cloudflare recognizes the rate limit blocking.

Note: As per our analysis of the access log file, attacker hits 5-7 times payment URL per minute. Here I only mentioned payment URL, similarly, they flooded more https request to other URLs as well.

is there a way to stop them completely?

I don’t get it. What do you mean “declined transactions”

Does this mean that the bot/attacker is making authenticated transactions?

I mean attackers using fake card details to hit the payment api continuously, Braintree declined these transactions due to fake card, fake address, fraud score…etc. We are looking for a solution to block attacker at the initial level from cloudflare.

This topic was automatically closed after 30 days. New replies are no longer allowed.