Anti DDOS policy denies real customers

We have constant issues with real customers falling foul of the cyber attack policy and they get denied access to the website. As far as we can tell its usually when they have attempted to pay a couple of times and failed. Nitrosell asks us to get their IP address and then they can unblock that customer. However it is incredibly hard to get this information out of non technical end users - they are generally pretty annoyed that they have been denied access and also technically ill equipped to get their IP address. So we end up losing that customer AND not being able to report it to Nitrosell. As far as we know its happening every week (and there must be more of our customers who don’t even bother to contact us). Does this issue happen to anyone else? We can’t gather sufficient evidence but we know from speaking to customers that its happening quite a bit and its an issue.

Emma

Hi Emma,

This actually triggers after 20 failed payments from the same IP address. However, it is a global block, so if one malicious actor using a dynamic IP triggers 20 failed payments across our platform, it will block them for all sites.

We have two options here, on which we’d like to get your input:

  1. We can put a form on “blocked” page so that shoppers can enter, say, their name and email address (and the IP is retrieved automatically); then we would forward that to you. Furthermore, we could add a page on the WSM enabling you to unblock that IP yourself, via a link in the email.
  2. We could add an option to disable it on a per store basis, i.e., ignore the blacklist for just your store.

Let me know what you think?

Regards,
Donogh

Hi @donogh,

Does the blacklist persist forever (ie will we see more and more cases over time), or do you release IPs after a period of time?

Option 1 sounds the safest, just not sure we’d get customers providing their details - as mentioned they are already pretty hostile by this point and they are suspicious that they are the one being hacked!

If we disabled the blacklist for our store, what implications would that have?

Emma

Hi @donogh,

To rephrase my first question better - once an IP address is put on the blacklist, is it on it forever?

Hi Emma,

Addresses do need to be manually removed, yes. Would you like to suggest an expiry timeframe?

When you say option 1, that’s the option where we add the form for them to submit. You’d like to be able to disable it store-wide instead, option 2?

Regards,
Donogh

Hi Donogh/Emma

We had a similar issue last week from our own IP address, we use the website for checking items should we get a phone call, but rarely if ever buy from our own website other than whilst testing.

The reply we received was "rogue bot autobanned by anti-DoS from www.rmspos.co.uk until 2019-08-01 12:12’’

Has something changed recently in the DOS detection software?

Regards Jim

Hi Jim/Donogh,

I’m not sure what error messages our customers get each time, I’ve not heard anything specific like that - but as mentioned its really difficult to interrogate them, and our sales team focus more on “saving the sale” tbh. It does seem to us though that its occurring more.

From our evidence and what Donogh says it does seem odd that they attempt to pay once or twice and then get blocked - implying that that IP was just sitting at 18 or 19 failed payments and then this customer happened to tip it over? Odd.

Donogh as I’m not a cyber crime expert I have no idea how long an IP address should remain on the blacklist - a month? a year? What seems clear is that it shouldn’t be blacklisted forever.

Or if you are keeping a tally of how many failed payments an IP address has BEFORE blacklisting it, perhaps that should be reset after a period of time too?

What is the implication of disabling the blacklist?

From our point of view the best outcome would be to reduce the incidence of this occurring AND have a better way of tackling it when it does.

Emma

Hi Jim, Emma,

First of all, the anti-DoS bot has nothing to do with failed payments; that’s an entirely separate security measure that is only triggered by unusually high volumes of requests that take place over a very short time-frame. That can only be triggered by an automated a process, which is nearly always a robot that is scanning your site aggressively. There is a limit set in robots.txt for robots and if the scanner if breaking that limit, it will get blocked. Jim, I’d suggest you open a ticket on that.

Emma, your issue is around repeated failed payment attempts from a single IP address. To answer your questions:

  1. That does sound to be most likely what’s happening – the last few payments tip it over the edge for that IP, and it’s a dynamic IP that jumps between users on an ISP.

  2. The blacklist is tracked from the first failed payment attempt; I’d suggest the expiry would apply to the first time it failed.

  3. The implication of turning it off is you are losing a layer of security. Obviously, if there are too many false positives it’s hard to justify keeping it enabled.

Any thoughts please @jbw?

Regards,
Donogh

Hi Emma,

Turns out there was an expiry on failed payment IPs. However, it was very long. We have adjusted it downwards significantly now. I will message you the details because we don’t want to put them here since it’s public.

Regards,
Donogh

Hi Donogh,

That’s great news, thanks. We will report back if further issues.

Emma

Hi Donogh/Emma

We did open a case last week Please Sign In - WebSell Portal

It does concern me that this can be triggered by simply browsing the website, when you say unusual please can you clarify.

Martin has added our fixed ip addresses to the whitelist, hopefully we won’t see the issue again.

Many thanks

Jim

Hi Jim,

A “human” browsing the site cannot trigger it. You would have to be viewing multiple pages per second.

If it’s your own IP, then you need to see if any scanners are running internally. Sometimes these take the form of SEO software designed to analyse your site, or it could be a security scanner, an uptime checker, etc.

We can provide more specific details as to the rate limit in the ticket but not on this public forum.

Regards,
Donogh