waf – Stop User Enumeration requests on AJAX endpoints

I have an ecommerce website with over 5 million customer database. From past couple of days, probably a hacker is hitting an AJAX endpoint continuously. This endpoint takes email address as a parameter and returns whether that email address is registered on our website or not, and we accordingly prompt user to login or signup. My bet is that this hacker is trying to exploit User Enumeration vulnerability.

I have employed various measures to stop this hacker, but he seems to be very smart. I am getting hits from all over the world and hundreds of differents IPs in each country. Which is making it extremely difficult to block him.

To stop him, I have done following:

  1. Applied rate limit using AWS WAF – not more than 100 requests per 5 minute from single IP on this endpoint.
  2. Blocked over 1500 IP address manually going through Access logs
  3. Blocked complete traffic from over 50 countries which doesn’t contribute much in revenue.

Although above steps has curtailed the speed of attack a lot. But that guy is still running this attack and it’s not possible to keep on blocking IP addresses or countries because he keeps on bringing new IP address.

What can be a good way by which I can stop him without hampering our genuine user’s experience? I don’t want to introduce captcha, is there any other way?