HACKER Q&A
📣 turkeytotal

How to mitigate “SMS layer” DDoS attacks with Twilio-style services?


Recently a website that does customer support over SMS was DDOS'd. An angry customer wrote a script to spam the support line with thousands of texts. A hefty bill was racked up, but thankfully the customer was placated and the attack stopped.

It quickly came to the service's attention that Twilio (and any downstream providers) only supports blocking numbers for inbound calls:

https://support.twilio.com/hc/en-us/articles/223181648-Is-there-a-way-to-block-incoming-SMS-on-my-Twilio-phone-number-

The service is in search for an alternative, and hoping a fellow HN-er would be able to provide some insight/mitigations. It appears bandwidth.com does not support blocking SMS from specific numbers either, so the concern is that this may be a limitation of the telephony system.

Thank you in advance :)

  👤 posguy Accepted Answer ✓
Your carrier should not be charging you for inbound SMS, changing SMS enablement providers can usually be done in a few minutes.

I would encourage you to look at Teli, Telnyx & Signalwire, iirc they all support blocking texts from a particular number. Avoid Bandwidth.com unless you want to deal with a long sales funnel and chasing them for API keys they never provide.