So recently a client had their ecommerce platform coopted to launder CC for valids. Their payment processor was none too happy, however luckily I happened to see the client’s URGENT email and react quickly.
I added CC attempt rate limit banning, and pre-emptively banning by suspicious attributes of the visitor (no false positives yet).
The total blocked IPs (250, then another 182) feel very likely botnet rental block sizes. It took a bit of tweaking but I hopefully now have it detecting them before they pester the payment gateway, not after a few CC per IP.
UPDATE: tally so far stands at 3833 unique IP addresses. I had to add further ban detections to stop it letting a few through on each IP before blocking it.
Thoughts for further detection is to detect every minute when a specific invoice reservation makes multiple CC attempts, and immediately flag that invoice and any IP that refer to it as suspect. Just need to make sure it doesn’t affect legit orders during an attack.