The Clock is Ticking: Secure Your Magento 2 Platform Against Targeted High-Load Bot Attacks Now!
If you own a Magento 2 e-commerce website, you may have encountered disruptive high-load bot attacks that cripple your server and endanger your business. This is no random occurrence but a specific type of attack focused on exploiting vulnerabilities in payment gateway integrations on Magento 2 platforms. The good news is Magento 2.4.7 (currently in Beta) offers a permanent fix. Read on to learn how you can shield your business from these malicious threats.
We recently had a client experience an issue that many Magento 2 owners fear – high-load bot attacks. Their website was bombarded several times per month, resulting in slowed server performance and decreased sales. In this post, we detail the problem, the root cause, and how we tackled it.
Our client was on Magento 2.4.x, and they began to notice that their server load would triple at random times. On investigation, we found thousands of page requests every few minutes, clearly affecting their sales and site performance.
The culprit? A script targeting Magento 2 sites that was publically available on Github.
Our initial solution was to block the offending IP addresses. However, this only worked until the attacker used another IP address.
We realised that the root cause of the problem was a bug in Magento 2.4.x’s captcha system. A patch was available, identified as ACSD-50345, which resolved the issue where reCAPTCHA would not reload after a failed payment. More information on the patch can be found here.
How to Apply The Patch ACSD-50345
Adobe Commerce on cloud infrastructure
- Install the latest quality patches package:
./composer update magento/quality-patches
- Add
QUALITY_PATCHES
with patch IDACSD-50345
to.magento.env.yaml
- Ensure YAML formatting is correct
- Commit and push
.magento.env.yaml
,composer.lock
files
Adobe Commerce & Magento Open Source
- Install the latest quality patches package:
./composer require magento/quality-patches
- Apply the patch:
./vendor/bin/magento-patches apply ACSD-50345
- Clean the cache:
./bin/magento cache:clean
Read more on applying patches here.
We also considered using Peak Hour, an Australian-based company, or Cloudflare to add extra security layers. Rate-limiting rules were set up to block any IP that hit certain URL paths more than 5 times per minute.
Below are some other tips that might help with similar issues and what can be done to prevent or mitigate the issue.
Table of Contents
- Identifying the Specific Attack
- Solutions Overview
- Permanent Fix in Magento 2.4.7 (Beta)
- Detailed Instructions for Implementing Solutions
- Cloudflare Configuration
- Magento 2 Security Measures
- Server-Level Security
- Conclusion
Identifying the Specific Attack
This isn’t your run-of-the-mill DDoS attack; it’s far more nefarious. The attackers use a series of IP addresses to flood your website with fraudulent credit card validation attempts. This high-load attack is tailored to exploit Magento 2 websites and specifically targets their payment gateway systems.
Solutions Overview
While Magento is working on a permanent fix, you can still secure your website through:
- Cloudflare Configuration: Utilising Cloudflare’s advanced security features.
- Magento 2 Security Measures: Using Magento’s security patches and log monitoring.
- Server-Level Security: Implementing rate limiting and IP blocking.
Permanent Fix in Magento 2.4.7 (Beta)
The upcoming Magento 2.4.7 (Beta) release includes a built-in solution to this specific type of high-load bot attack. It offers advanced security features designed to eliminate vulnerabilities in payment gateways. If possible, consider upgrading to this version for comprehensive security.
Detailed Instructions for Implementing Solutions
Cloudflare Configuration
- Rate Limiting
- Navigate to the “Firewall” tab after logging in and select “Rate Limiting.”
- Create a new rule that specifies the maximum allowed requests per minute from a single IP.
- Firewall Rules
- Under “Firewall Rules,” create new conditions to block or challenge IPs based on criteria like geographical location.
- User-Agent Blocking
- Block suspicious User-Agents found in your logs.
- Country Blocking
- Specifically block or challenge users from countries that generate a high volume of attacks.
- JavaScript Challenges and CAPTCHAs
- Use JS Challenges and CAPTCHAs as actions in your firewall rules to deter bots.
Magento 2 Security Measures
- Security Patches
- Regularly update your Magento 2 application through the admin panel under ‘System’ and ‘Web Setup Wizard.’
- Logging and Monitoring
- Enable log settings under ‘Stores,’ ‘Configuration,’ and then ‘Advanced.’
- Web Application Firewall (WAF)
- Install a WAF extension from the Magento marketplace and configure it to your needs.
Server-Level Security
- IP Blocking with
.htaccess
- Add a
Deny from [IP address]
line in your.htaccess
file.
- Add a
- Rate Limiting
- Use
mod_ratelimit
for Apache or thelimit_req
module for Nginx to set up server-level rate limiting.
- Use
- Log Analysis
- Regularly analyse your server logs for unusual activity and patterns.
- Software Updates
- Keep your server software up to date to close off any known vulnerabilities.
Identifying and combating high-load bot attacks specifically targeted at Magento 2 websites has become a critical need. With the promising permanent fix in Magento 2.4.7 (Beta), we can finally breathe a sigh of relief. However, until then, a multi-layered security approach remains essential for securing your Magento 2 e-commerce platform.
If you looking for some assistance with a similar issue, please do not hesitate to contact us