Comment by jacob019

This is correct. We have seen this over the years in our ecommerce business. I suggest using threat levels, you are under attack so the threat level increases until they go away. When the threat level is high, you require an exact match AVS. You might have more agressive filtering at the IP level, real users generally won't be datacenter IPs. Pay attention to the ASN, sometimes you'll get an attack from a network that legit customers never use, so you can just block the whole network. Keep an eye on your logs, you'll notice patterns. The attack is likely coming from a single entity, if you make it difficult to abuse your service, then they will move on.