Under attack despite "Under Attack Mode" being initiated

What is the name of the domain?

What is the issue you’re encountering

We have been under attack since July. 100s of fake accounts are being created in our Big Commerce store and trying to check out one product (the same product every time), with a different credit cards. A few orders got through, and we have since made the payment processing more stringent. However, this has not stopped the issue. The only was I can pause the activity is completely delete the product and a few days later the process starts again with a different product. We are now at a point where the payment provider is threatening to suspend the account because of the number of attempts, I have over 1,000 fake accounts in Big Commerce (and subsequently the same in my Email Service Provider).

What steps have you taken to resolve the issue?

We installed Cloudflare Pro Plan a few days ago and configured it with the Orange to Orange Big Commerce instructions. I initiated Under Attack Mode, but a few hours later accounts were being created and orders attempted. This is not my area and I desperately need help. There could be rules we could put in place, but what they are and how to create I would not know.

I thought these bots would be shown a captcha form at checkout, but somehow they are getting under the radar. All of the email addresses start with a mix of numbers/letters:

[email protected]
[email protected]
[email protected]

Can we create a rule for showing the form if the email looks suspect?

Any advice or help is appreciated. Is there someone who can walk me through the account and tell me if something isn’t set up properly?

Thank you

Generally, you would want to identify common features of either your real customers or fake customers. If that is not something you can do, you might need to hire a consultant that helps you with that.

Are your real customers all from a handful of countries? Then start by blocking other countries. Are the fake customers all from one country? Block that country.
Same for other things. Source IP, User-Agent etc.

Also, I would recommend that you use Super Bot Fight Mode and block definitely automated and likely automated requests. You would then need to create exceptions to these blocks for traffic that you do want to reach your servers, like your payment provider.

2 Likes

Is it still enabled? Is it set for the whole domain? If so, I’m not getting challenged.

Can you show a screenshot of your DNS records just to be sure this is set correctly?

2 Likes

Hello,

Thank you for your reply.

I took it off because I had a Labor Day promotion going out and since we were still getting the orders with Under Attack Mode on anyway.

I have put it back on now, so please let me know if you are being challenged.

Here are the DNS settings

Emily

Hello,

The IP addresses I see in Big Commerce are different - where would I see the Source IP address? The orders use US addresses - sometimes, but not often the IP address is not in the USA. There is no consistency between countries or IP addresses.

Thanks
Emily

eyeenvy.com is challenging and you showed the correct CNAME in your screenshot. But it redirects to www.eyeenvy.com that does not challenge if you enter directly there. What DNS records do you have set for www? It should be the same CNAME.

I think this must be wrong:

Try changing www to CNAME to shops.mybigcommerce.com as well.

1 Like

Do I need to put: www.eyeenvy.com under Name or leave as www?

Just www

THANK YOU :slight_smile: :grinning: I was challenged so now this must be working as expected.

4 Likes

Is there anything else you think I should do? Any other recommendations? I will see if we have any attempted orders in the next 48 hrs.

Now all requests are passing through your Cloudflare account first, before going on to BigCommerce, you can set custom rules in the WAF of your account to block specific IP addresses or other characteristics depending on what you find.

Challenging everything should stop most of the automated stuff, you can find tune with custom WAF rules for anything else that gets through.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.