We have constant issues with real customers falling foul of the cyber attack policy and they get denied access to the website. As far as we can tell its usually when they have attempted to pay a couple of times and failed. Nitrosell asks us to get their IP address and then they can unblock that customer. However it is incredibly hard to get this information out of non technical end users - they are generally pretty annoyed that they have been denied access and also technically ill equipped to get their IP address. So we end up losing that customer AND not being able to report it to Nitrosell. As far as we know its happening every week (and there must be more of our customers who don’t even bother to contact us). Does this issue happen to anyone else? We can’t gather sufficient evidence but we know from speaking to customers that its happening quite a bit and its an issue.
This actually triggers after 20 failed payments from the same IP address. However, it is a global block, so if one malicious actor using a dynamic IP triggers 20 failed payments across our platform, it will block them for all sites.
We have two options here, on which we’d like to get your input:
We can put a form on “blocked” page so that shoppers can enter, say, their name and email address (and the IP is retrieved automatically); then we would forward that to you. Furthermore, we could add a page on the WSM enabling you to unblock that IP yourself, via a link in the email.
We could add an option to disable it on a per store basis, i.e., ignore the blacklist for just your store.
Does the blacklist persist forever (ie will we see more and more cases over time), or do you release IPs after a period of time?
Option 1 sounds the safest, just not sure we’d get customers providing their details - as mentioned they are already pretty hostile by this point and they are suspicious that they are the one being hacked!
If we disabled the blacklist for our store, what implications would that have?
We had a similar issue last week from our own IP address, we use the website for checking items should we get a phone call, but rarely if ever buy from our own website other than whilst testing.
The reply we received was "rogue bot autobanned by anti-DoS from www.rmspos.co.uk until 2019-08-01 12:12’’
Has something changed recently in the DOS detection software?
I’m not sure what error messages our customers get each time, I’ve not heard anything specific like that - but as mentioned its really difficult to interrogate them, and our sales team focus more on “saving the sale” tbh. It does seem to us though that its occurring more.
From our evidence and what Donogh says it does seem odd that they attempt to pay once or twice and then get blocked - implying that that IP was just sitting at 18 or 19 failed payments and then this customer happened to tip it over? Odd.
Donogh as I’m not a cyber crime expert I have no idea how long an IP address should remain on the blacklist - a month? a year? What seems clear is that it shouldn’t be blacklisted forever.
Or if you are keeping a tally of how many failed payments an IP address has BEFORE blacklisting it, perhaps that should be reset after a period of time too?
What is the implication of disabling the blacklist?
From our point of view the best outcome would be to reduce the incidence of this occurring AND have a better way of tackling it when it does.
First of all, the anti-DoS bot has nothing to do with failed payments; that’s an entirely separate security measure that is only triggered by unusually high volumes of requests that take place over a very short time-frame. That can only be triggered by an automated a process, which is nearly always a robot that is scanning your site aggressively. There is a limit set in robots.txt for robots and if the scanner if breaking that limit, it will get blocked. Jim, I’d suggest you open a ticket on that.
Emma, your issue is around repeated failed payment attempts from a single IP address. To answer your questions:
That does sound to be most likely what’s happening – the last few payments tip it over the edge for that IP, and it’s a dynamic IP that jumps between users on an ISP.
The blacklist is tracked from the first failed payment attempt; I’d suggest the expiry would apply to the first time it failed.
The implication of turning it off is you are losing a layer of security. Obviously, if there are too many false positives it’s hard to justify keeping it enabled.
Turns out there was an expiry on failed payment IPs. However, it was very long. We have adjusted it downwards significantly now. I will message you the details because we don’t want to put them here since it’s public.
A “human” browsing the site cannot trigger it. You would have to be viewing multiple pages per second.
If it’s your own IP, then you need to see if any scanners are running internally. Sometimes these take the form of SEO software designed to analyse your site, or it could be a security scanner, an uptime checker, etc.
We can provide more specific details as to the rate limit in the ticket but not on this public forum.