A simple botnet can cost a serverless based architecture a $40k bill.

Thoughts on guarding against this type of threat? A WAF can detect some of this but the rotating IPs would make that less effective.