We're getting thousands of calls to different flavors of the following:
/rest/default/V1/guest-carts/zHghQPWEgbShMdyjUiDLVDoNVuD4Pren/payment-information
Due to the rest call, these are breezing past Cloudflare on default settings.
First off, I'm surprised to see rest baked into front-end delivery. I'm seeing more and more modules doing that or we'd restrict V1 to an IP range. In any case, the above URL generates an email on every call. We've shut down guest checkout and blocked access to the URL for now.
We're having this issue too, would it be possible for you to explain a little more on what you did?
Have you simply blocked access to /rest/default/V1/ globally or have you just restricted access to internal calls only?
Bumping this thread to see if anyone else has had this and what they might have done to solve it?
I've personally just seen this on another customers website.
Small redacted example below, this is just a very small section of the 8000+ requests that came in during a 5 minute window before they stopped.
2a00:23c4:7700:f201:xxxx:xxxx:xxxx:xxxx - [05/Sep/2020:20:19:33 +0000] "GET /customer/section/load?sections=cart&force_new_section_timestamp=false HTTP/1.1" 200 748 "https://XXXXXX/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15" 2a00:23c4:7700:f201:xxxx:xxxx:xxxx:xxxx - [05/Sep/2020:20:19:34 +0000] "GET /static/frontend/Magento/eggfree/en_GB/Magento_Checkout/template/summary/cart-items.html HTTP/1.1" 200 528 "https://XXXXXX/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15" 2a00:23c4:7700:f201:xxxx:xxxx:xxxx:xxxx - [05/Sep/2020:20:19:34 +0000] "GET /static/frontend/Magento/eggfree/en_GB/Magento_Checkout/template/form/element/email.html HTTP/1.1" 200 1003 "https://XXXXXX/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15" 2a00:23c4:7700:f201:xxxx:xxxx:xxxx:xxxx - [05/Sep/2020:20:19:34 +0000] "GET /static/frontend/Magento/eggfree/en_GB/Magento_Checkout/template/shipping-address/form.html HTTP/1.1" 200 1020 "https://XXXXXX/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15" 2a00:23c4:7700:f201:xxxx:xxxx:xxxx:xxxx - [05/Sep/2020:20:19:34 +0000] "GET /static/frontend/Magento/eggfree/en_GB/Vertex_AddressValidation/template/validation-message.html HTTP/1.1" 200 486 "https://XXXXXX/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15" 2a00:23c4:7700:f201:xxxx:xxxx:xxxx:xxxx - [05/Sep/2020:20:19:34 +0000] "GET /static/frontend/Magento/eggfree/en_GB/Magento_Tax/template/checkout/summary/item/details/subtotal.html HTTP/1.1" 200 398 "https://XXXXXX/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15" 2a00:23c4:7700:f201:xxxx:xxxx:xxxx:xxxx - [05/Sep/2020:20:20:24 +0000] "POST /rest/default/V1/guest-carts/u81r5V7j1oRpRCbDiNyIzjy3M5IPKsAr/estimate-shipping-methods HTTP/1.1" 200 151 "https://XXXXXX/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15" 2a00:23c4:7700:f201:xxxx:xxxx:xxxx:xxxx - [05/Sep/2020:20:20:52 +0000] "POST /rest/default/V1/guest-carts/u81r5V7j1oRpRCbDiNyIzjy3M5IPKsAr/totals-information HTTP/1.1" 200 530 "https://XXXXXX/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15" 2a00:23c4:7700:f201:xxxx:xxxx:xxxx:xxxx - [05/Sep/2020:20:21:05 +0000] "POST /rest/default/V1/guest-carts/u81r5V7j1oRpRCbDiNyIzjy3M5IPKsAr/totals-information HTTP/1.1" 200 530 "https://XXXXXX/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15" 2a00:23c4:7700:f201:xxxx:xxxx:xxxx:xxxx - [05/Sep/2020:20:21:41 +0000] "POST /rest/default/V1/guest-carts/u81r5V7j1oRpRCbDiNyIzjy3M5IPKsAr/estimate-shipping-methods HTTP/1.1" 200 151 "https://XXXXXX/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15" 2a00:23c4:7700:f201:xxxx:xxxx:xxxx:xxxx - [05/Sep/2020:20:21:41 +0000] "POST /rest/default/V1/guest-carts/u81r5V7j1oRpRCbDiNyIzjy3M5IPKsAr/totals-information HTTP/1.1" 200 530 "https://XXXXXX/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15" 2a00:23c4:7700:f201:xxxx:xxxx:xxxx:xxxx - [05/Sep/2020:20:22:19 +0000] "POST /rest/default/V1/guest-carts/u81r5V7j1oRpRCbDiNyIzjy3M5IPKsAr/estimate-shipping-methods HTTP/1.1" 200 151 "https://XXXXXX/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15" 2a00:23c4:7700:f201:xxxx:xxxx:xxxx:xxxx - [05/Sep/2020:20:22:19 +0000] "POST /rest/default/V1/guest-carts/u81r5V7j1oRpRCbDiNyIzjy3M5IPKsAr/totals-information HTTP/1.1" 200 530 "https://XXXXXX/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15" 2a00:23c4:7700:f201:xxxx:xxxx:xxxx:xxxx - [05/Sep/2020:20:22:27 +0000] "POST /rest/default/V1/guest-carts/u81r5V7j1oRpRCbDiNyIzjy3M5IPKsAr/totals-information HTTP/1.1" 200 530 "https://XXXXXX/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15" 2a00:23c4:7700:f201:xxxx:xxxx:xxxx:xxxx - [05/Sep/2020:20:23:38 +0000] "POST /rest/default/V1/guest-carts/u81r5V7j1oRpRCbDiNyIzjy3M5IPKsAr/estimate-shipping-methods HTTP/1.1" 200 151 "https://XXXXXX/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15"
 
It's actually not a DDOS attack. I have three clients (2 on Magento and 1 on WooCommerce) that have this issue. On Magento, somebody is adding the lowest price product they can find to a cart, and then using the API cart ID from the on-page Ajax calls to hit this endpoint thousands of times with different credit card details each time:
POST /rest/default/V1/guest-carts/{cart-id}/payment-information
Every time there is a successful transaction, they know they have a card they can use for other purchases.
So they're using Magento's internal REST method as a tool for credit card fraud.
We got the same attack, we think to block external POST requests on */rest/*/V1/guest-carts/* by validating that the IP is from the server and the HTTP referer is the right on. We will probably also add Nginx rate limit to diminish frequency if the attack spoofs the IP or the domain referer.
We are facing similar attacks on the rest api endpoint of paypal payflow pro as follows 
paypal/trasparent/requestSecureToken  
did you find any potential solution to tackle this?
Got attacked the past week, any way to block these?
Anyone ever solve this?
Did anyone ever come up with a solution to this as I'm getting a request every second currently and it's taking out Redis at the same time.
I'm using CE 2.4.2
Patching is mandatory, but the solution below (creating custom module) is how I complete stopping execution of orders like these:
github.com/magento/magento2/issues/39002#issuecomment-2291143582