phpsecuritysmsddos

How to prevent DDoS attack on sms account verification


I have an app where users registers and enters their mobile phone and other data. In order to verify that the user is valid, before i save it to my database, I send a sms to the user with a code. And after that they should enter the code in the form.

The problem is that my sms provider charges me if i try to send a sms even if the phone number is not valid.

How to prevent a DDoS attack on my app which will send try to send a sms every time (even if the number is not valid)?


Solution

  • There are a couple things that you should attempt.

    First and foremost you should try to reduce probability of a DDOS attack by enabling captcha.

    While it will make DDOS attack difficult, it will not make it impossible. In order to prevent actual DDOS attack you will need to NOT execute SMS requests instantly and put them in a queue instead. By having a separate process with well defined rate-limits and displaying "message may take up to 15 minutes to arrive" on your website, you will make resource exhaustion a lot more difficult to create.

    Last but not least, do phone number validation prior to sending messages and keep track of how many requests were sent to a certain number within last 30 minutes. Limit number of requests for unique number to maybe 2 requests per 30 mintues.