I run a small API that has a no sign-up required free tier.<p>This has been thoroughly abused over the past few weeks as I've been getting hundreds of millions of calls a day from countries all over the world in what I now believe is a DoS attack.<p>I've tried a few dozen things to try and stop it, including banning countries which has helped.<p>I've inspected the requests and they don't have any bogus query params to break caching like in the examples I've seen. It's just a simple GET to / on the API with a number of headers set.<p>Does anyone know of any helpful way to mitigate this kind of attack?<p>Here's a sample log event;
{'type': 'REQUEST', 'resource': '/', 'path': '/', 'httpMethod': 'GET', 'headers': {'accept-language': 'ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7', 'X-Forwarded-Proto': 'https', 'X-Forwarded-For': '88.200.137.163', 'Host': 'myapi.co', 'X-Forwarded-Port': '443', 'accept-encoding': 'gzip, deflate, br', 'X-Amzn-Trace-Id': 'Root=1-5b1e2ce9-f7f53b56b21b4ae4aca1c49e', 'accept': '<i>/</i>', 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36'}, 'queryStringParameters': {}, 'pathParameters': {}, 'stageVariables': {}, 'requestContext': {'resourcePath': '/', 'httpMethod': 'GET', 'extendedRequestId': 'ITv0aHJuFiAFkmw=', 'requestTime': '11/Jun/2018:08:03:53 +0000', 'path': '/', 'protocol': 'HTTP/1.1', 'stage': 'published', 'requestTimeEpoch': 1528704233073, 'requestId': 'fb4b5e8f-6d4d-11e8-9fcb-4f9526203fa9', 'identity': {'cognitoIdentityPoolId': None, 'accountId': None, 'cognitoIdentityId': None, 'caller': None, 'sourceIp': '88.200.137.163', 'accessKey': None, 'cognitoAuthenticationType': None, 'cognitoAuthenticationProvider': None, 'userArn': None, 'userAgent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36', 'user': None}}}