Bloga Dönindustry2026-05-2312 dk okuma
Affiliate onboard etmeye calisiyordum Stripe rate-limit dedi — botnet attack aftermath (PR #657 IX F5)
Antalya Kepez Sirinyali da 26 yaslarinda dijital pazarlamaci Burcu (@burcugurmebir 22k TikTok takipci), thMenu affiliate program OTP gectikten sonra Stripe Connect onboarding tikladi. Stripe form doldurdu Submit, "Too many requests" hatasi. 3 kez denedi hepsi fail. Support ilk 2 teori cururttu (single-submit, shared IP/VPN). 3. teori dogru: Stripe in platform-level rate-limit i hit edilmisti — Synaltix thMenu platformunun saat basina 1000 account creation quota i. Burcu #1001. Forensik Stripe Dashboard: 24 saatte 4,187 yeni Connect account vs typical 25-40 = 100x spike. Hepsi fake (random hex business name, placeholder tax_id, disposable email). Cloudflare Workers logs /api/affiliate/connect/onboard 9,234 request 24 saatte 1,143 distinct IP residential proxy distributed botnet. Endpoint kodu: zod body validate + session check + Stripe accounts.create() — RATE-LIMIT YOK. Botnet 1143 IP x 8 avg = 9k request Stripe quota burn legitimate kullanicilar collateral. Saldirgan motivasyon unclear (service-disruption competitor, resource exhaustion, Connect surface abuse). **PR #657 batch IX F5** fix iki katmanli: (1) application-level rate-limit — checkRateLimit per-IP 5 onboard/hour, Retry-After header 429 response; (2) Cloudflare WAF bot detection — JS challenge suspicious traffic icin (residential proxy rapid IP rotation, headless browser fingerprint, missing JS challenge token). Two layers together: legitimate users CAPTCHA invisible olusur, botnet substantially throttled. Burcu fix shipped Pazar retry success, 50% commission bonus ilk ay (sabırlı raporlama). Post-fix Connect rate 4187/day -> 38/day. Pattern: public-facing state-mutating endpoints (signup, OTP request, password reset, Stripe Connect onboard, comment submission, contact form) **application-level rate-limit AND network-level WAF bot detection ikisini birden tasimali**. Application-only distributed botnet defend etmez; WAF-only legitimate scenario CAPTCHA istemez. Audit checklist: state mutation? per-IP rate-limit? Cloudflare WAF rule? upstream quota visibility (Stripe metrics, 80% quota alert)? abuse signature detection (signup spike, geographic anomaly, business-name pattern)?