The Problem
Political marketing campaigns generate concentrated traffic surges during key moments like elections, debates, and fundraising drives. The intensity of these surges is predictable, and bad actors know it. Without intelligent filtering, they exploit those windows to flood webhooks, scrape pricing endpoints, submit fake leads at scale, and corrupt the analytics that campaign managers rely on for real-time decisions. Pop Acta was processing political advertising for multiple clients simultaneously and seeing thousands of malicious requests per hour. Legitimate traffic was drowning in noise, compute costs were climbing with no corresponding business value, and client campaign data was being polluted by bot submissions. Manual blocking was not an option at that volume and velocity. They needed a system that could distinguish real users from automated threats without adding friction to legitimate visitors, and do it continuously without engineering attention.
How We Solved It
We instrumented all public-facing endpoints with a layered AWS WAF ruleset built in three tiers. The first tier applies AWS Managed Rules for IP reputation blocking, common attack patterns (SQLi, XSS, LFI), and known bot signatures. The second tier adds rate-based rules scoped by IP and by session token, throttling any single source that exceeds threshold request rates within a rolling 5-minute window. The third tier applies a CAPTCHA challenge specifically on high-value form submissions where the cost of a false positive (a real user asked to verify) is acceptable relative to the value of blocking automation. A Lambda function subscribes to WAF CloudWatch metrics and automatically adds offending IPs to a dynamic IP set that blocks at the edge with no latency penalty. The entire ruleset is defined and managed in Terraform. Updates and rule tuning happen through pull requests, not console clicks. ALB access logs ship to an S3 bucket on a lifecycle policy, enabling retroactive forensic analysis of attack patterns and refinement of blocking rules over time.
What We Delivered
- 90%+ reduction in spam traffic
- Real-time threat blocking capabilities
- Scalable infrastructure ready for campaign surges
