I have a website (PHP Laravel site) that uses Brainstree to process credit card payments. Today the site receives A LOT direct request to 1 url that passes in credit card information. It seems the hacker figures out our parameters and is using my site trying to validate their stolen credit card numbers.
Here is an example of a request.
It is causing the CPU usage to be 100%, slowing down my site.
Before our code was processing the request and display an error page. Now it validates the request and redirects invalid renew request to log in page. The CPU load is still 100%.
What can I do to stop this or stop the CPU load, at the least?
Enable the use of CSRF field, it's a must. You're saying you began handling the request as POST, so that's fine.
This route also has to be available for authenticated users only. Add a proper middleware if you haven't yet.
As for additional protection I would recommend to use some throttle middleware. Consider using this package or something similar. It will not allow to use the method more often than the number of times per minute you specify. https://github.com/GrahamCampbell/Laravel-Throttle
Here is the update. The hacker really analyzes the site. It create free users. Each free user uses a credit card to submit an order for a paid membership. We are a target because the amount is small. Using POST doesn't fix this hack. So we have added account activation email and recaptcha in account creation and order page. Luckily, it is stopped pretty quickly. I am just putting the info here to share experience. Thanks for all the help!