This article provides the steps you could take to block malicious traffic, when you suspect that your Adobe Commerce on cloud infrastructure store is experiencing a DDoS attack.
In this article we assume that you already have the malicious IPs and/or their country and user agents. Adobe Commerce on cloud infrastructure users would typically get this information from Adobe Commerce support. The following sections provide steps for blocking traffic based on this information. All the changes should be done in the Production environment.
If your website is overloaded by DDoS, you might not be able to log in to your Commerce Admin (and perform all the steps described further in this article).
To get access to the Admin, put your website into maintenance mode as described in Enable or disable maintenance mode and whitelist your IP address. Disable the maintenance mode after this is done.
For the Adobe Commerce on cloud infrastructure store, the most effective way to block traffic by specific IP addresses and subnets is adding an ACL for Fastly in the Commerce Admin. Following are the steps with links to more detailed instructions:
For the Adobe Commerce on cloud infrastructure store, the most effective way to block traffic by country(s) is adding an ACL for Fastly in the Commerce Admin.
To establish blocking based on user agent, you need to add a custom VCL snippet to your Fastly configuration. To do this, take the following steps:
AhrefsBot
and SemrushBot
user agents.name: block_bad_useragents
type: recv
priority: 5
VCL:
if ( req.http.User-Agent ~ "(AhrefsBot|SemrushBot)" ) {
error 405 "Not allowed";
}
There is an experimental Fastly functionality for Adobe Commerce on cloud infrastructure which allows you to specify the rate limit for particular paths and crawlers. Please reference the Fastly module documentation for details.
The functionality must be extensively tested on staging, before being used on production, because it might block legitimate traffic.
Updating your robots.txt
file could help to keep certain search engines, crawlers, and robots from crawling certain pages. Examples of pages that should not be crawled are search result pages, checkout, customer information and so on. Keeping robots from crawling these pages could help to decrease the number of requests generated by those robots.
There are two important considerations when using robots.txt
:
robots.txt
. Especially malware robots, that scan the web for security vulnerabilities, and email address harvesters used by spammers will pay no attention.robots.txt
file is a publicly available file. Anyone can see what sections of your server you don’t want robots to use.The basic information and default Adobe Commerce robots.txt
configuration can be found in the Search Engine Robots article in our developer documentation.
For general information and recommendations about robots.txt
, see:
Work with your developer and/or SEO expert to determine what User Agents you want to allow, or those you want to disallow.