Bot Mitigation Best Practices for Flash Sales

As you might expect, flash sales are an extremely attractive target for bot attacks. During a flash sale (also called a hype or high-volume sale), a large amount of traffic is driven to a storefront for a limited number of products. Flash sales that offer deeply discounted or strictly limited stock tend to attract malicious users, who try to amass a large inventory of the discounted products to resell later for a profit. The deeper the discount and the more limited the inventory, the higher the risk of bot traffic overwhelming your site. However, if you plan ahead for bot mitigation, you can help to ensure human shoppers are buying your products during the busy holiday season!

First, let’s review how malicious bots operate as they try to obtain large amounts of discounted inventory. Most bot attacks are simple and automated, but these attacks can impact site performance and create a frustrating shopping experience.

Bots target online storefronts by:

Creating systemic chaos and instability. Some bots try to destabilize a system by sending large bursts of traffic. The individual calls in these bursts might not accomplish much, but the sheer volume of calls can temporarily slow down a system and degrade the shopper experience. For example, when a large number of calls go to a product detail page (PDP), page caching can ensure fast response times, but the increased call volume eventually uses processing seconds on the servers.
Leveraging security loopholes. Other malicious bots try to steal sensitive information, like credit card numbers, passwords, and email addresses, from the server side by using injection-style attacks (for example, cross-site scripting). These bots typically target flash sales, because during a short span of time, many shoppers are interacting with an online storefront and providing their personal information to complete a purchase.
Crawling or scraping sites. Bots can crawl and scrape websites, looking for product launches and checking on the inventory availability, and even size and color combinations, for popular items. Web scrapers might seem innocuous, because they don’t purchase large quantities of inventory, but even aggressive crawling by legitimate search bots can reduce a website’s search engine optimization (SEO) ranking.
Overrunning flash sales to purchase high-resale products. Malicious bots try to purchase as much highly sought after inventory as possible during a flash sale, maximizing chances for hefty resale profits. Hype bots can vary by industry, but the most sophisticated ones target sneakers because of the combination of marketing, celebrity branding, and limited inventory. These sneaker bots focus on speed and are constantly evolving, routinely switching tactics and attack vectors. Sneaker bots have a thriving developer community, where anyone interested in acquiring sneakers can purchase bot software and learn how to attack a site. The innovation behind these bots is relentless, making them the most challenging to combat.

Commonly, malicious bots use script routing and UI routing as potential vectors for attacks. Of these two attack vectors, UI routing is less of a concern. With UI routing, a bot typically launches a browser and manipulates UI elements, such as buttons and drop-down menus, to automate browser activity while maintaining a browser session. These attacks tend to be relatively low volume, and are subject to the speed of the device they’re running on and browser render times. In one sense, these types of bots are just fast humans.

However, by using simple tools or Python scripts, bots can use script routing to scrape sites for data, attack popular controllers (for example, Cart-AddProduct and CheckoutServices-PlaceOrder), and direct traffic at its origin in an attempt to bypass protection at the CDN layer. In advanced cases, script routing can penetrate the CDN stack in large numbers, attacking thousands of IPs in a few seconds. Some are also able to float under established rate limits, solve CAPTCHAs with a high level of reliability, and avoid bot protection tools. Some bots that use script routing focus on the Cart and Checkout pipelines, looking for the fastest path to placing an order. Others have been known to take advantage of mobile app implementations and to launch attacks on the Open Commerce API (OCAPI) framework.

To protect your site from script routing, continue reading to learn about the bot mitigation strategies provided by Commerce Cloud.

Salesforce B2C Commerce comes with an embedded Content Delivery Network (CDN). Enabled by default when creating proxy zones, the eCDN Web Application Firewall (WAF) is a layered approach to security and an important component of a multitiered approach to bot mitigation.

The eCDN provides the following bot protection strategies:

Allowlist of traffic sources. If you have a stacked CDN configuration, allowlist IP ranges on the eCDN so that blocking mechanisms are bypassed for known sources of legitimate traffic. When used with a firewall rule, this approach blocks any traffic that isn’t from allowlisted IP ranges.
Under Attack mode. Use the built-in eCDN functionality and consider increasing the threat level or even enabling Under Attack mode during a flash sale. Under Attack mode presents a CAPTCHA to every unique user before they're allowed to see the storefront. For more information, see Configure the Embedded CDN.
Firewall rules. Set up firewall rules on the eCDN that log, block, or challenge suspect traffic. Firewall rules are based on a variety of conditions and are built on filters and regular expressions. Salesforce Support can help you create firewall rules that help manage suspect traffic, such as traffic from specific countries, user agents, or paths. This approach is an effective way to control storefront access and minimize malicious traffic during a flash sale.

In addition to the eCDN layer of protection, Salesforce B2C Commerce offers a few other effective options for blocking bot traffic. These solutions typically stop bots that try to bypass the eCDN or CDN stack. The bots target sensitive endpoints, such as the Cart and Checkout pipelines.

A combination of the following strategies yields successful results in helping us protect your storefronts from malicious access, while still allowing vetted traffic.

Selective origin shielding (SOS). To restrict external sources, such as third-party integrations or partners, from bypassing the eCDN or directly accessing the Commerce Cloud POD origin, we implemented selective origin shielding (SOS) on all PODs. SOS prevents bots from accessing the origin outside the eCDN, and increases site security and availability by allowing traffic from only a known list of IPs that are essential for internal services to run. Other traffic is not responded to, and the requests time out. For more information, see B2C Commerce Selective Origin Shielding Security Update.
Rewrite rules. As the name suggests, rewrite rules are a URL rewrite framework that can block traffic at the origin. This framework checks for certain paths and identifies mistakes that bots make when trying to spoof regular calls. This feature is available on the backend servers as part of the Commerce Cloud infrastructure.

Bots consistently try to exploit broken versions of hostnames and sensitive paths, like the Cart and Checkout pipelines, to find implementation vulnerabilities. Thankfully, rewrite rules provide a quick way to block and redirect malicious traffic, based on conditions that match the call signature (call path, referrers, query strings, HTTP method, and so on). Rewrite rules are particularly effective with bots trying to bypass the CDN stack. For more information about using rewrite rules, consult with your Salesforce Support representative.
Secret headers. A secret header is an extra HTTP header that’s typically attached at the CDN level. An example of a secret header isx-extra_header_name: extra_header_value. What’s secret about this header? This extra header is not sent back to the end user or client and remains unknown to shoppers and bot operators.

To verify that incoming requests pass through the eCDN, the presence of the header is checked for and validated at the Commerce Cloud origin. This validation is done by rewrite rules that check for the header and block malicious traffic. All requests that fail the header check return a 403 response code.

In addition to the powerful bot mitigation strategies provided by Salesforce B2C Commerce, you play an important role in helping to protect your storefront from malicious bot attacks.

Consider these best practices to help ensure you have a successful holiday shopping season.

Allowlist legitimate traffic sources. Use the Salesforce eCDN to allowlist legitimate IP ranges for incoming traffic. When you allowlist IP ranges, incoming traffic from those IPs is not subject to some bot defense strategies, such as distributed denial-of-service (DDoS) and rate limiting. When used with firewall rules, this strategy is an effective way to block traffic that’s trying to bypass the frontend CDN.

You can also use the CDN Zones API to allowlist IP ranges. For more information about this API, see CDN Zones, and contact your Salesforce Support representative.
Leverage WAF protection on eCDN. As previously mentioned, the eCDN Web Application Firewall (WAF) can help mitigate many bot attacks. The WAF rule engine benefits from intelligence and heuristics gained from analyzing traffic all across the web. For more information about setting up and using the eCDN WAF, see eCDN Web Application Firewall.
Set up firewall rules. Consider working with your Salesforce Support representative to set up firewall rules to block and challenge suspect traffic. For example, you can have rules that block traffic from certain countries, IPs, and autonomous system numbers (ASNs).
Analyze traffic patterns and call formats. Bots have a tendency to focus on certain pipelines, and often make mistakes with the call formats. For example, Cart-AddProduct is a crucial transaction that manages basket creation and the path to checkout. Potentially, bots could target a broken version of the calls, like Cart-Add%43roduct. Although unsuccessful, these calls consume processing seconds on the platform and can degrade performance.

Traffic patterns on a storefront constantly change, and bot traffic can begin subtly with a heightened number of calls against common endpoints, such as Product-Variation or product detail pages (PDP). Check for and know the typical traffic patterns for your site, especially during sale events. This information helps you to identify patterns that are consistent (or inconsistent) with your implementation or line of business. Then, you can work with your Salesforce Support representative to mitigate bot activity. We suggest reviewing B2C Commerce Reports and Dashboards and monitoring upstream at the CDN layer, if using a stacked CDN setup.
Evaluate bot management solutions. You can employ specialized third-party solutions that integrate with Salesforce B2C Commerce to tailor a protection package against shopping bots. Key features of most bot management tools include a constantly updated blocklist, and advanced machine learning that scores and rates requests prior to making block or allow decisions. This type of protection becomes more effective after multiple sale events, as more implementation data trains the machine learning models. Just like shopping bots, bot management solutions continually evolve to update their strategies. Some options include PerimeterX, DataDome, Shape, Akamai BotMan, Cloudflare Bot Management, and so on. If you are using one of these solutions, we can advise and evaluate traffic patterns.
Create a virtual waiting room. Especially during the first few minutes of a flash sale, bots send requests from a large number of IPs and cause spikes in traffic. To help ensure your storefront isn’t overwhelmed by bot traffic for popular products in limited stock, you can create a virtual waiting room. Waiting rooms limit the number of shoppers allowed to purchase products at a given time. When the maximum number of shoppers is reached on designated pages, new shoppers receive a waiting page that doesn’t access backend systems. When paired with presale load testing and traffic forecasting, waiting rooms help control the storefront load while maintaining a positive shopper experience. You can even create a customized waiting room experience that enhances your brand. (Hello, positive social media feedback!) A virtual waiting room also provides you with the opportunity to analyze incoming requests for a traffic signature and understand how human shoppers (and bots) are interacting with your storefront. This knowledge can provide insights that help you tailor your bot mitigation strategies. Consult with your Salesforce Support representative to identify the levels of traffic bursts your storefront can handle, while maintaining optimal performance. You can determine the waiting room size, how many shoppers to allow into a waiting room, and which pages should have a waiting room.
Review the settings in robots.txt. To control the crawl rate and site paths for non-malicious bots (for example, search spiders, known marketing crawlers, and feed fetchers), review and update the settings in your robots.txt file. This approach helps us be proactive with managing “good” bot activity and avoids scenarios of heightened activity during a flash sale. For more information, see Generate a robots.txt File.

By implementing these bot mitigation best practices, you can host a flash sale knowing that your site is prepared to manage malicious attacks and reduce the chance of bots getting large amounts of inventory. And remember: When you start planning for a flash sale, engage the Salesforce Commerce Cloud team and your Support representative. We’re here to help!