Tackling the Persistent High-Load Bot Attacks on Magento 2 Websites: Your Go-To Guide

Oct 20, 2023 0 Comments MAGENTO
Blog image

The Clock is Ticking: Secure Your Magento 2 Platform Against Targeted High-Load Bot Attacks Now!

If you own a Magento 2 e-commerce website, you may have encountered disruptive high-load bot attacks that cripple your server and endanger your business. This is no random occurrence but a specific type of attack focused on exploiting vulnerabilities in payment gateway integrations on Magento 2 platforms. The good news is Magento 2.4.7 (currently in Beta) offers a permanent fix. Read on to learn how you can shield your business from these malicious threats.

We recently had a client experience an issue that many Magento 2 owners fear – high-load bot attacks. Their website was bombarded several times per month, resulting in slowed server performance and decreased sales. In this post, we detail the problem, the root cause, and how we tackled it.

Our client was on Magento 2.4.x, and they began to notice that their server load would triple at random times. On investigation, we found thousands of page requests every few minutes, clearly affecting their sales and site performance.

The culprit? A script targeting Magento 2 sites that was publically available on Github.

Our initial solution was to block the offending IP addresses. However, this only worked until the attacker used another IP address.

We realised that the root cause of the problem was a bug in Magento 2.4.x’s captcha system. A patch was available, identified as ACSD-50345, which resolved the issue where reCAPTCHA would not reload after a failed payment. More information on the patch can be found here.

How to Apply The Patch ACSD-50345

Adobe Commerce on cloud infrastructure

  1. Install the latest quality patches package: ./composer update magento/quality-patches
  2. Add QUALITY_PATCHES with patch ID ACSD-50345 to .magento.env.yaml
  3. Ensure YAML formatting is correct
  4. Commit and push .magento.env.yaml, composer.lock files

Adobe Commerce & Magento Open Source

  1. Install the latest quality patches package: ./composer require magento/quality-patches
  2. Apply the patch: ./vendor/bin/magento-patches apply ACSD-50345
  3. Clean the cache: ./bin/magento cache:clean

Read more on applying patches here.

We also considered using Peak Hour, an Australian-based company, or Cloudflare to add extra security layers. Rate-limiting rules were set up to block any IP that hit certain URL paths more than 5 times per minute.

Below are some other tips that might help with similar issues and what can be done to prevent or mitigate the issue.

Table of Contents

  1. Identifying the Specific Attack
  2. Solutions Overview
  3. Permanent Fix in Magento 2.4.7 (Beta)
  4. Detailed Instructions for Implementing Solutions
    1. Cloudflare Configuration
    2. Magento 2 Security Measures
    3. Server-Level Security
  5. Conclusion

Identifying the Specific Attack

This isn’t your run-of-the-mill DDoS attack; it’s far more nefarious. The attackers use a series of IP addresses to flood your website with fraudulent credit card validation attempts. This high-load attack is tailored to exploit Magento 2 websites and specifically targets their payment gateway systems.

Solutions Overview

While Magento is working on a permanent fix, you can still secure your website through:

  1. Cloudflare Configuration: Utilising Cloudflare’s advanced security features.
  2. Magento 2 Security Measures: Using Magento’s security patches and log monitoring.
  3. Server-Level Security: Implementing rate limiting and IP blocking.

Permanent Fix in Magento 2.4.7 (Beta)

The upcoming Magento 2.4.7 (Beta) release includes a built-in solution to this specific type of high-load bot attack. It offers advanced security features designed to eliminate vulnerabilities in payment gateways. If possible, consider upgrading to this version for comprehensive security.

Detailed Instructions for Implementing Solutions

Cloudflare Configuration

  1. Rate Limiting
    • Navigate to the “Firewall” tab after logging in and select “Rate Limiting.”
    • Create a new rule that specifies the maximum allowed requests per minute from a single IP.
  2. Firewall Rules
    • Under “Firewall Rules,” create new conditions to block or challenge IPs based on criteria like geographical location.
  3. User-Agent Blocking
    • Block suspicious User-Agents found in your logs.
  4. Country Blocking
    • Specifically block or challenge users from countries that generate a high volume of attacks.
  5. JavaScript Challenges and CAPTCHAs
    • Use JS Challenges and CAPTCHAs as actions in your firewall rules to deter bots.

Magento 2 Security Measures

  1. Security Patches
    • Regularly update your Magento 2 application through the admin panel under ‘System’ and ‘Web Setup Wizard.’
  2. Logging and Monitoring
    • Enable log settings under ‘Stores,’ ‘Configuration,’ and then ‘Advanced.’
  3. Web Application Firewall (WAF)
    • Install a WAF extension from the Magento marketplace and configure it to your needs.

Server-Level Security

  1. IP Blocking with .htaccess
    • Add a Deny from [IP address] line in your .htaccess file.
  2. Rate Limiting
    • Use mod_ratelimit for Apache or the limit_req module for Nginx to set up server-level rate limiting.
  3. Log Analysis
    • Regularly analyse your server logs for unusual activity and patterns.
  4. Software Updates
    • Keep your server software up to date to close off any known vulnerabilities.

Identifying and combating high-load bot attacks specifically targeted at Magento 2 websites has become a critical need. With the promising permanent fix in Magento 2.4.7 (Beta), we can finally breathe a sigh of relief. However, until then, a multi-layered security approach remains essential for securing your Magento 2 e-commerce platform.

If you looking for some assistance with a similar issue, please do not hesitate to contact us

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Recent Posts

How to Update WordPress Websites and Plugins

WordPress stands as a cornerstone in the world of web development, powering a vast array of websites across the globe. Keeping your WordPress site and its plugins up-to-date is crucial for security, performance, and taking advantage of the latest features. However, updating your site should be approached with caution to avoid any potential issues. Below,… Continue reading How to Update WordPress Websites and Plugins

Setting Up OAuth 2.0 in Google Cloud Console in 2024

Are you looking to enhance your application’s security with Gmail OAuth 2.0 but feeling overwhelmed by the technicalities? Fear not! We’ve broken down the process into simple, easy-to-follow steps. Even if you’re not tech-savvy, this guide will help you navigate the setup process like a pro. Setting Up OAuth 2.0 in Google Cloud Console Conclusion… Continue reading Setting Up OAuth 2.0 in Google Cloud Console in 2024

Top 10 Ways to Optimise Sales with Your Online Store in 2024

In the dynamic landscape of 2024, e-commerce has transcended from being a mere convenience to a critical component of every successful business strategy. With the digital marketplace burgeoning more than ever, businesses are not just competing on products and prices but also on the digital experience they offer. This competitive edge is no longer a… Continue reading Top 10 Ways to Optimise Sales with Your Online Store in 2024

Partnering with Aussie Websites: Your Key to Building a Shopify Store in Australia

In the digital age, having a strong online presence is essential for businesses looking to thrive and expand. If you’re considering entering the world of e-commerce, building a Shopify store is a smart choice. And when it comes to expert assistance in setting up your Shopify store in Australia, Aussie Websites is the ideal partner.… Continue reading Partnering with Aussie Websites: Your Key to Building a Shopify Store in Australia
More posts