I have a simple product ordering form.
A hacker is attempting to validate stolen credit card numbers by making two orders per minute with a bot.
99% of the orders are declined but some are completed. Which tells the hacker that credit card is a valid and active card.
Using a CAPTCHA or similar to prevent these attacks is unfortunately not an option.
Here is my strategy for limiting the attack:
- Set a rate limit of one order per IP per five minutes. Do not allow multiple submissions to the same form from the same IP within five minutes.
- Record every IP address that submits to the order form.
- Fetch the recent order data from the shopping cart API.
- Correlate the recent order IP's with every new order's IP.
- If the rate limit is exceeded for a matched IP then discard the order submissions.
- If the rate limit is exceeded for a matched IP then block the order submissions IP.
Is there a pattern that already exists for this kind of credit card transaction rate limiting?
Recommendations for existing libraries which use this pattern would also help me to research how others have solved this problem.
Thanks!