Hey everyone, I wanted to share a serious experience I've had with AWS that I think could help others avoid a similar situation. For the past six years, I've been running a self-funded startup on AWS, and recently, I faced a significant financial hit because of a vulnerability in AWS Cognito's phone verification process. About six months ago, my account was hit by a DDoS attack that exploited this feature, leading to over $10,000 in SMS charges through Amazon SNS.
Despite following AWS best practices—like using CloudFront and AWS WAF—I found that this specific vulnerability wasn't adequately documented or warned about by AWS. When I reached out for support, they suggested IP-based rate limiting, but that wouldn't have made a difference since the attacker was cycling through different IP addresses.
After months of trying to resolve this with AWS Support, I was left without any financial help, which is tough for a small startup like mine. I felt it was important to make others aware of this risk, especially since vulnerabilities that can lead to massive charges should have clear documentation and guidance. I hope this helps someone out there and maybe even prompts someone from AWS to reconsider their support approach.
3 Answers
For those looking into avoiding this kind of issue, it’s called 'SMS pumping.' Here’s a resource on it that explains the problem and how to mitigate it: [SMS Pumping Attacks](https://www.techtarget.com/searchsecurity/feature/SMS-pumping-attacks-and-how-to-mitigate-them). It’s important to stay informed.
Thanks for sharing your experience! It's essential for others to be aware of these potential pitfalls. Proper documentation from AWS about vulnerabilities and how to handle them is crucial, especially for smaller startups like yours. Maybe speaking out will lead to better practices.
SMS pumping attacks can be really problematic. Here’s what I've found works best to combat them: 1) Adding CAPTCHA to the SMS request helps, though it's not foolproof. 2) Block regions you don't service to cut down on sudden spike attacks. 3) Use AWS WAF to set rate limits on requests. We keep ours to the minimum allowed. 4) Track 2FA requests per user per minute to block excessive requests efficiently. Monitor the number of SMS messages sent to catch spikes early. It’s a constant battle, but these measures help reduce the risk.
That sounds like a solid plan! I’ll definitely consider implementing CAPTCHA and stricter monitoring.
So it's more about configuration than a strict vulnerability?