Hey everyone, I wanted to share a tough experience I had running my small startup on AWS. About six months back, my account suffered a DDoS attack targeting the Cognito phone verification API, which racked up over $10,000 in SMS charges through Amazon SNS in just a few hours. I'd been following AWS best practices, implementing CloudFront and strict AWS WAF rules, but this vulnerability wasn't well-documented.
I reached out to AWS support, but their suggested solution—implementing an IP-based rate limit with AWS WAF—wouldn't have worked because the attacker frequently changed IPs. After months of discussions with AWS, they ultimately refused to help or provide any financial relief, which has put my startup in a tough spot.
I shared this story to raise awareness and hope it can help others avoid a similar situation. Let's discuss how AWS can improve their documentation and support for issues like these!
1 Answer
I'm so sorry to hear this happened! SMS pumping attacks can really mess things up. To combat them, we combined several strategies: using CAPTCHA on request forms, blocking countries we don’t service, and implementing stricter WAF rules. Also, we track user requests closely and set up alerts for sudden spikes in SMS. It’s a continuous battle, but these measures have worked for us and reduced incidents considerably.
What’s the main goal of these attackers? Do they just want to cause chaos, or is there financial gain behind it?