cdbessig
commented
2 years ago Yes, he is open to pull requests, as I had made one and it was merged.
Open jmelkun opened 2 years ago
cdbessig
commented
2 years ago Yes, he is open to pull requests, as I had made one and it was merged.
Genaker
commented
2 years ago It blocks IP address also. Not just a the same cart. The Issue is attackers change IP all the time we shouldn’t check and block ip range
On Thu, Sep 23, 2021 at 11:45 AM jmelkun @.***> wrote:
The current module does not prevent a single IP address from generating many carts and proceeding to check out on each of them. As a consequence, if the attacker generates a cart and checks out, they are not stopped until they use the same cart again 20 times.
If you're open to pull requests, I'll write the code to prevent a same-IP attacker and make the request.
Thanks
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Genaker/Magento2_Payment_Bot_Block/issues/5, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACGJNZXENOWLHYWTEWGOE7DUDNYVLANCNFSM5EUKE5BA .
pmonosolo
commented
2 years ago This is decent. I'd love to learn how to test it against the requests.
I'll see if I can develop the Admin section for this plugin so there's more control.
Great work @Genaker !
cdbessig
commented
2 years ago @pmonosolo this module does work very well when the attacks are one source ip, which they were a few months ago. Recently the attacks have been sourced by botnets meaning different ips for many if not all requests.
In the later versions of the attack, this module has proven less useful. Captchas being implemented on the payment form, as in Gene commerce Braintree 4.0.8 as an example have been the cure since the attack has mutated.
While I and the community would love to welcome any enhancements to any open source modules, I’d recommend you see if this is going to work for your use case before spending significant time on enhancements.
cdbessig
commented
2 years ago Also thanks for editing your comment to thank @Genaker ! He was the mastermind here! I simply added two lines to the readme! @Genaker thanks again for all your hard work on this and just being in the community.
Genaker
commented
2 years ago @cdbessig ok I will fix that!
pmonosolo
commented
2 years ago @pmonosolo this module does work very well when the attacks are one source ip, which they were a few months ago. Recently the attacks have been sourced by botnets meaning different ips for many if not all requests.
In the later versions of the attack, this module has proven less useful. Captchas being implemented on the payment form, as in Gene commerce Braintree 4.0.8 as an example have been the cure since the attack has mutated.
While I and the community would love to welcome any enhancements to any open source modules, I’d recommend you see if this is going to work for your use case before spending significant time on enhancements.
The latest attacks introduced varied CardID. They would generate CardID on another Magento 2.3 site and use the string to create a POST on your site.
You can see referrals from another site in the requests.
So now they:
I'm not sure how to stop these attacks, but I think the most effective thing we can do is to add an alert system.
If the plugin was emailing you when you get attacked (for example by seeing too many failed CC payment requests) that would at least give you heads up (knowing attack is happening is 90% of the problem)
Then we can introduce for example putting Cloudflare on "Under Attack Mode" once it sees failed CC payment requests.
This could be a good plugin, but I don't think we can solve the issue without ReCAPTCHA.
Now I just need some time to work on it :) lol
Genaker
commented
1 year ago @pmonosolo this module does work very well when the attacks are one source ip, which they were a few months ago. Recently the attacks have been sourced by botnets meaning different ips for many if not all requests.
In the later versions of the attack, this module has proven less useful. Captchas being implemented on the payment form, as in Gene commerce Braintree 4.0.8 as an example have been the cure since the attack has mutated.
While I and the community would love to welcome any enhancements to any open source modules, I’d recommend you see if this is going to work for your use case before spending significant time on enhancements.
The latest attacks introduced varied CardID. They would generate CardID on another Magento 2.3 site and use the string to create a POST on your site.
You can see referrals from another site in the requests.
So now they:
vary IP addresses on every request
vary Cart ID on every request
use another site to create Cart ID
I'm not sure how to stop these attacks, but I think the most effective thing we can do is to add an alert system.
If the plugin was emailing you when you get attacked (for example by seeing too many failed CC payment requests) that would at least give you heads up (knowing attack is happening is 90% of the problem)
Then we can introduce for example putting Cloudflare on "Under Attack Mode" once it sees failed CC payment requests.
This could be a good plugin, but I don't think we can solve the issue without ReCAPTCHA.
Now I just need some time to work on it :) lol
Easy to fix. We need introduce new ID we will use and Cart Bot will not know about it.
"see referrals from another site in the requests" can also filter by referral.
The current module does not prevent a single IP address from generating many carts and proceeding to check out on each of them. As a consequence, if the attacker generates a cart and checks out, they are not stopped until they use the same cart again 20 times.
If you're open to pull requests, I'll write the code to prevent a same-IP attacker and make the request.
Thanks