Leading E-Commerce Website Ends Layer 7 DDoS Attacks With DataDome

After a severe layer 7 DDoS attack disrupted a live event, a leading e-commerce website trialed different bot protection solutions and selected DataDome. Today, DataDome protects the company against DDoS, scraping, form spam, and more, and ensures that no real customers need to see a CAPTCHA.

The Problem: Layer 7 DDoS Attacks Disrupt Live Events

“Like all online businesses, we’ve always had bot traffic,” says the company’s VP of Web Technologies. “Some people—including a competitor, which we sued—were scraping and reusing our data. We also had occasional account takeover attempts and spam form submissions, but for the most part, bots were just an inconvenience.”

That abruptly changed in the summer of 2021. During a live event, the company’s website was hit by multiple layer 7 DDoS attacks. The site went down for 45 minutes, and the event had to be rescheduled. The VP of Web Technologies explains the reasoning behind their need for DDoS prevention services:

“We couldn’t let that happen again,” says the VP of Web Technologies. “So together with my network team, we started to look for a DDoS protection tool. There doesn’t seem to be any solution that will prevent all types of DDoS attacks, but in order to DDoS someone, you do need bots. So I figured that if we could find good bot mitigation software, it would be the best way to solve the problem.”

The Solution: Multi-Platform Bot Protection, Easy Implementation

Before the layer 7 DDoS attacks, the team had been mitigating various bot issues with ad hoc, homegrown solutions. While their workarounds were sufficient to keep the site and its users safe, the process distracted developers from other tasks and often let something to be desired in the user experience.

“A form could get 20,000 spam submissions, so we’d add reCAPTCHA and be flooded with customer and staff complaints instead,” he recalls. “Then we’d have a credential stuffing attack, and it would be up to my team to try and mitigate it with our own code. So in a way, these DDoS attacks were a blessing in disguise. There was absolutely nothing we could have done about them, and that finally spurred the decision to invest in a legit edge protection solution.”

Having previous good experience with an on-premise WAF from a well-known global data security company, the team decided to trial the vendor’s bot mitigation solution. Unfortunately, it did not live up to their expectations. The solution had security holes (people could easily generate their own tokens and bypass the system completely), and the dashboard provided no information about blocked requests.

Next, they tested a specialized bot protection solution. It had impressive detection capabilities, but was lacking in terms of infrastructure and dashboard data. Having identified DataDome on the internet, the team decided to give it a shot—and found what they had been looking for.

“DataDome is a very evolved and well thought-out product,” the VP of Web Technologies observes. “I also loved the fact that it can be implemented in multiple ways, whether it’s directly on my web servers, in a CDN, or in other ways—I really like that flexibility. App integration was another big factor in our choice; DataDome was the only vendor we talked to that has a React Native SDK. And finally, the solution engineer who supported us through the implementation was amazing: extremely knowledgeable and always willing to help.”

The Results: Improved User Experience, Better Processes

Since implementing DataDome, no more events have been disrupted by layer 7 DDoS attacks. Traffic is stabilized and the team spends much less time investigating bot-related issues. Users don’t have to worry so much about the complex issues of reCAPTCHA v2 vs v3– they can focus on efficiently protecting their website.

“We have an analytics tool that we wrote, which basically queries our traffic. If we have over x hits per IP within a certain time frame, we get an email which says, ‘Hey, you’ve got a heavy hitter, go investigate what’s going on’,” the VP of Web Technologies explains. “We used to get those emails two or three times a day, but since we implemented DataDome, I’ve only had a couple, and each time there’s been an explanation or a fix.” 

In addition, the DataDome solution automatically blocks scraper bots and credential stuffing attacks. As a result, the team has been able to deactivate reCAPTCHA, which has significantly improved the user experience.

“We mostly managed to mitigate the credential stuffing attacks with reCAPTCHA, but people hated it,” he says. “If an annoyed customer was complaining, we couldn’t explain why it had been prompted, and we couldn’t control anything except setting the sensitivity. With DataDome, on the very rare occasions where a real user has been challenged, we have been able to raise a support ticket and get an explanation, whether it be a missing cookie or a compromised IP address. That has been very helpful.”

The detailed DataDome dashboard has also enabled an unexpected benefit: better management of friendly bot traffic.

“We don’t have an official API, but we do provide one-off web services and other types of ‘backdoors’ which our partners can use to access our data,” he explains. “The DataDome implementation uncovered how many of those we actually had, how many people were using them, and often that they weren’t using them correctly. Now, we can fine-tune that access with custom rules in the DataDome dashboard.”

In conclusion, he praises the interactions he’s had with the DataDome team along the way. 

“I’ve been very impressed,” he attests. “Everyone I’ve dealt with has been amazing, genuinely trying to help us and make the product better. So many giant companies just don’t care anymore, they have a generic product and as a user, you deal with whatever it is. DataDome actually listens and responds. Every issue I’ve had has been addressed quickly, without me having to follow up. So far, it’s been a great experience.”