Malicious requests used up all SMS quota

Someone attacked my SMS endpoint by sending 2.7k requests over 1 hour and incurred unnecessary cost to my company.

My question is why didn’t Cloudflare identify these as malicious requests and block them?

What identifies the requests as malicious and do you have a WAF rule in place which should have matched to block them based on that criteria?


@cscharff I only deployed Cloudflare’s managed rules. I suppose those requests weren’t malicious in nature. Someone discovered the SMS endpoint which happened to not require a token (with valid reasons) and simply send as many requests as they like to the endpoint.

For now one of the actions I’ve taken was to rate limit the endpoint. However I’m wondering if there’s anything I can do from Cloudflare to better identify requests with bad intentions like this.

If the attacker used your endpoint exactly as intended, except he used it too much, then rate-limiting sounds like the appropriate response.

It sounds like you want your endpoint to be publicly accessible, but only by those with good intentions. Cloudflare offers quite a few security products, but soothsaying is not one of them I’m afraid.

Do you have any other criteria to identify who should be allowed to use your endpoint and who shouldn’t?

1 Like

@Laudian The endpoint doesn’t require a token because it’s used for signing up and resetting password. Therefore, I’m afraid the endpoint is really for public to use.

Is it possible to restrict the endpoint to only be able to use on my mobile app? This would mean nobody can use Postman or any script to send requests to the endpoint.


1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.