System Status

Real-time status of the SoleDrop storefront and drop infrastructure.

โœ…

All Systems Operational

The storefront and checkout are running normally.

Updated just now
๐Ÿ”ด   Active Security Incident โ€” Drop-Day Bot Swarm Detected
LIVE
Attack Timeline โ€” What We Detected
1
WAF Anomaly โ€” Automated Inventory Recon
Ahead of the drop, an automated client enumerated hidden release URLs and scraped stock โ€” hammering /api/v1/products and probing /search, /.env, and /api/v1/admin. SQL injection payloads were injected into the search query parameters to dump the product/inventory tables. Every request carried a spoofed X-Forwarded-For header.
WAFSQLiAttackScore > 60path enumerationX-Forwarded-For spoofingBotScore: 24
2
Bot Management โ€” Sneaker-Bot Swarm at Drop Time
At 11:00 the storefront took a coordinated swarm โ€” thousands of add-to-cart requests per second from a rotating pool of residential proxies and 22 different User-Agents. Despite the rotation, the TLS fingerprint stayed constant: a headless-automation JA4 hash that does not change with the User-Agent. Cloudflare Bot Management flagged the entire swarm as a single automated origin.
JA4: t13d1516h2_8daaf6152771_b0da82dd1658BotDetectionTags: automation, checkout3,400 req/s
3
Credential Stuffing โ€” Account Takeover on /login
The bot replayed a leaked credential list against /login โ€” 60k+ attempts โ€” hunting for accounts with saved payment methods and existing raffle entries to hijack. The 401 error rate on the auth endpoint spiked 400ร—. Successful logins from the swarm's JA4 were flagged as suspected account takeover.
401 rate spike > 400xcredential stuffingleaked combolistATO suspected
4
Checkout Abuse โ€” Carding & Inventory Hoarding
Full breakout: automated checkout against /api/v1/checkout combined with carding (rapid-fire validation of stolen card numbers) and cart-hoarding to lock inventory away from real buyers. An SSRF probe targeting 169.254.169.254 (cloud metadata endpoint) was injected into a webhook URL field. Cloudflare Rate Limiting and the checkout Waiting Room absorbed the flood.
Rate limit exceededcarding patternSSRF: 169.254.169.254inventory hoarding
Indicators of Compromise (IOCs)
Source OriginDatacenter ASN + residential proxy pool โ€” rotating spoofed IPs via X-Forwarded-For
TLS Fingerprint (JA4)t13d1516h2_8daaf6152771_b0da82dd1658 โ€” headless automation, constant across all traffic
Bot Score24 / 100 โ€” Source: Heuristics โ€” Tags: ["automation", "checkout"]
Peak Request Rate3,400 req/s against /api/v1/products and /api/v1/checkout
Credential Stuffing60k+ attempts on /login โ€” 401 rate spike > 400x baseline
Attack Duration4-phase campaign โ€” recon โ†’ bot swarm โ†’ credential stuffing โ†’ checkout abuse
Remediation Checklist
0 / 7 steps completed
  • Identify bot origin in Cloudflare Security Events
    Filter CF Security Events by the drop timeframe. The real ClientIP is the datacenter/proxy origin โ€” X-Forwarded-For values are spoofed. Note the RayID chain and the source ASN.
  • Block source IP / ASN in Cloudflare WAF
    Security โ†’ WAF โ†’ Custom Rules โ†’ create rule: ip.src eq <origin-ip> (or ip.geoip.asnum eq <asn>) โ†’ Block. Stops the swarm's origin immediately.
  • Create JA4 fingerprint block in Bot Management
    Bot Management โ†’ Custom Rules โ†’ cf.bot_management.ja4 eq "t13d1516h2_8daaf6152771_b0da82dd1658" โ†’ Block. Catches the bot even when it rotates IPs and User-Agents.
  • Enable Rate Limiting + Waiting Room on checkout
    Turn on the drop-day Waiting Room for /products and /api/v1/checkout, and add a Rate Limiting rule (e.g. 10 req/10s per IP) on add-to-cart. Consider "Under Attack" mode if the swarm persists.
  • Correlate the full attack chain in SentinelOne AI-SIEM
    PowerQuery: filter by JA4 = "t13d1516h2_8daaf6152771_b0da82dd1658" โ†’ confirm the same actor across recon, swarm, credential stuffing, and checkout abuse. Use Purple AI: "Summarize the drop-day bot attack linking WAF, Bot Management, and login events."
  • Force reset + revoke sessions on stuffed accounts
    Identify accounts with successful logins from the attacker's JA4 in the last 24h. Force a password reset, revoke active sessions, and flag any raffle entries or orders placed from those sessions.
  • Open SentinelOne incident + notify fraud/security
    Create a Critical incident linking all 4 phases. Add IOCs for the source ASN and JA4, block the carding BIN ranges with the payment processor, and page on-call if not already fired.
โš ๏ธ   Completing this checklist does not automatically resolve the incident. Your security team must confirm all Cloudflare/S1 controls are in place and signal an all-clear before this page returns to operational status.

Services

Storefrontshop.soledrop.co ยท web & mobile
Operational
Checkout APICart ยท payments ยท order placement
Operational
Inventory ServiceStock counts ยท reservations ยท raffles
Operational
Customer AccountsLogin ยท profiles ยท saved payment
Operational
Search & CatalogProduct search ยท browse
CDN / EdgeImages ยท assets ยท caching
Operational

90-Day Uptime

Storefront99.98%
90 days agoToday
Checkout API99.95%
90 days agoToday
CDN / Edge100%
90 days agoToday

Recent Incidents

No incidents in the past 90 days.