Hey folks! I'm dealing with a frustrating situation in my project where an attacker is exploiting the OTP signup feature. They're sending in a phone number and using proxy rotation for each request, making it hard to pinpoint them. They've managed to bypass reCAPTCHA and even the Vercel BotID checks, which is worrying. My current security measures don't seem effective against this. I'm considering developing my own captcha, but I'd rather know if there are any tools recommended specifically for situations like this. Also, it seems like they might be utilizing an automation tool like Puppeteer. While the endpoint is secure, I struggle to detect their activity through the frontend. Rate limiting doesn't work either since they keep rotating proxies with every request. I'd really appreciate any thoughts or suggestions you guys have!
2 Answers
From what you've shared, it sounds like this attacker has a good strategy by bypassing standard protective measures. It's important to remember that just because they can pass reCAPTCHA and other checks doesn’t mean they are legitimate users. Have you considered setting up more advanced anomaly detection? Monitoring behavior patterns could help you identify these malicious requests better. It might also be worth diving into the abnormal request volume you're seeing—like how often the same number gets requested or unusual IP consistency during signups.
Creating your own captcha might seem daunting, but it could solve your problem if it’s well-designed. However, I'd suggest checking out tools specifically aimed at bot detection; they can be quite handy. Solutions like Cloudflare's Bot Management or services from Sift can offer solid defensive capabilities against these types of automated attacks. You might also want to explore rate limiting based on user behavior instead of IP alone if you haven’t already.
Great suggestion about looking into Cloudflare or similar services! They have advanced features that can help block abnormal request patterns and could save you a lot of time reinventing the wheel.
Exactly! Implementing behavior analysis can be key. Also, looking at the regions these requests are coming from can help identify suspicious patterns, especially if they're all from places you don't target.