Back to Blogindustry2026-05-2312 min read
I was trying to onboard as an affiliate, Stripe said rate-limit — botnet attack aftermath (PR #657 IX F5)
Anniina (28) runs @anniinaeats food + restaurant-tech Instagram + TikTok 18k followers from Helsinki Kallio. After OTP verification clicked Stripe Connect onboarding. Filled finnish IBAN + tax ID, Submit, "Too many requests" error. 3 attempts all failed. Support 2 wrong theories (double-click, shared IP) busted. 3rd theory correct: Stripe platform-level rate-limit hit — Synaltix thMenu platform 1,000 account creations per hour quota. Anniina was attempt 1,001 that hour. Forensic Stripe Dashboard: 4,187 new Connect accounts in 24h vs typical 25-40 = 100x spike. All fake (random hex business names like "thMenu-affiliate-bot-${hex}", placeholder tax IDs "111-22-3333", disposable-domain emails). Cloudflare Workers logs /api/affiliate/connect/onboard 9,234 requests 24h from 1,143 distinct IPv4+IPv6 residential proxies. Endpoint code: zod body validate + session check + Stripe accounts.create() — NO RATE LIMIT. Botnet 1,143 IPs × ~8 attempts = 9k requests burning Stripe platform quota, legitimate users like Anniina caught in throttle. Attacker motivation unclear (sabotage competitor, resource exhaustion, Connect surface abuse for downstream fraud). **PR #657 batch IX F5** two-layer fix: (1) application-level rate-limit — checkRateLimit per-IP, 5 onboard attempts per hour, 429 with Retry-After; (2) Cloudflare WAF bot detection — JavaScript challenge for traffic scored as suspicious (residential proxy rapid rotation, headless browser fingerprint, missing JS token). Two layers together: legitimate users get invisible CAPTCHA, botnet substantially throttled. Anniina retried Sunday after fix shipped — success. 50% commission bonus first month for the patience. Post-fix Connect creation rate 4,187/day → 38/day (typical). Stripe team coordinated cleanup of 4,000+ pending bot accounts. Pattern: every public-facing state-mutating endpoint (signup, OTP, password reset, Stripe Connect onboard, comment submission, contact form) needs BOTH application-level rate-limit AND network-level WAF bot detection. Application-only doesn t defend distributed botnets; WAF-only forces CAPTCHA on legitimate users.