Dealing with possible DDOS and Malicious Bot attacks on a B2C Commerce storefront

To start, review the B2C Commerce platform's approach, strategy and guidance around bot management to understand the shared responsibility between B2C Commerce and our customers. Then, utilize the capabilities and tools available to you to mitigate the attack:

1. If you have your own Content Delivery Network (CDN) stacked on top of the platform's embedded CDN or your own bot mitigation solution, leverage the functionality they provide such as custom firewall rule creation, IP/geo blocking, rate limiting, etc. This is especially important if you have allowlisted your stacked CDN IP addresses as described in Add Stacked Proxy to the Firewall Allowlist as this allows traffic from your stacked CDN to bypass any rules set at eCDN meaning that internal teams have limited options for mitigating traffic coming from your stacked CDN. 
   
   Note: Instead of allowlisting your stacked CDN's IP addresses, consider creating custom rules that add your stacked CDN IPs with certain skip actions as outlined in Rule Actions. This preserves the ability for you to prioritize that traffic while still letting eCDN protections take effect.
   
   
2. Tools within the B2C platform include:
   1. The built-in Web Application Firewall (WAF) in eCDN which has checks and rulesets that can be adjusted as needed. These are outlined below:
      • OWASP WAFv2 Managed Ruleset
      • eCDN WAFv2 Managed Ruleset
      • eCDN WAFv2 Exposed Credentials Check
   2.  In Business Manager, go to Administration | Sites | Embedded CDN Settings | Configure Zones, select the zone with affected storefront and enable Under Attack mode. This setting presents a CAPTCHA challenge to every unique user before they're allowed to see the storefront.
      • Note: A disadvantage with this option is that storefront API calls will fail since they cannot respond to the challenge.
   3.  In Business Manager, review the traffic coming in. Then create custom and/or rate limiting rules based on what you see by going to Administration | Sites | Embedded CDN Settings as outlined below:
      • Analyze HTTP and Security Traffic for an eCDN Zone 
      • Create a Custom Firewall Rule for an eCDN Zone
      • Create a Rate Limiting Rule for an eCDN Zone
   4. The CDN Zones API can be used in situations where Business Manager is unavailable or when you need to make changes on a large scale. Prerequisites for using the CDN Zones API include creating an API client and authorizing it as outlined in Authorization for SCAPI Admin APIs as well as constructing well-formed requests to the B2C Commerce API with all required parameters as covered in the Base URL and Request Formation guide. Once these are in place, review the guidance below:
      • eCDN Custom Rules
      • eCDN Rate Limiting Rules
        
        
3. If all the above is unsuccessful, open a Support case outlining what is going on and include the data mentioned in Gathering Details for B2C Commerce Cloud Support Cases for our team to review and assist.