alt Hacker NewsI had a similar thing happen recently. Some of the IP addresses were proxy / datacenters but many of them weren’t, which made me think it might be a botnet. And the UAs were generic, so there wasn’t anything easily-bannable.
I added fingerprinting and rate-limiting and the problem seems to have gone away. They’re trying to test a large number of accounts / credit card numbers so the best strategy is to slow them down to the point where it’s no longer worth it for them at scale.
Replies
Wouldnt a "service fee" resolve this? A non refundable amount to even transact
I'm hot off fighting one of these bot nets. They automatically adapted and spread the calls over a ridiculous number of IPs and all had good JA4 fingerprints at Cloudflare (compromised or nurtured "users"). Gave us nothing to block. We started targeting high count JA4s and blocking those temporarily. This would usually cause them to stop automatically.
Very sophisticated LLM-enabled rented mafia bot net. They crafted attacks of various approaches as we turned up the heat.
In the end we refactored our entire authentication flow. We had a lot of Anon endpoints and ones that would validate card numbers etc from past misguided product and management decisions.
In the end we had to block a lot of legitimate traffic at times.
Reducing friction for users reduces friction for scaled bot attacks.
There are many companies selling access to ”residential proxies”.