3

I had this weird wondering once.

If I am using CloudFront as my CDN, I pay per requests made on my static files.

enter image description here

So here comes the wondering. Can one keep requesting the same file in a non-stop fashion (with a script or something), in order to make your bill high? It seems to me to be a pretty fair question, isn't it?

Jonathan Rioux
  • 1,938
  • 6
  • 33
  • 57

3 Answers3

10

Sure -- it's called "Economic Denial of Sustainability". Not a huge amount you can do about it. Don't expect any CDN provider that bills by the byte to aggressively deploy any countermeasures, either, because it's in their interest to serve (and bill you for) as much traffic as possible.

womble
  • 96,255
  • 29
  • 175
  • 230
  • Ok, well, I'll just hope it wont happen to me. Thanks! – Jonathan Rioux Mar 03 '12 at 04:44
  • @womble Such anti-abuse features could become a competitive advantage for a CDN that offers it, though. – ceejayoz Mar 13 '12 at 21:31
  • @ceejayoz: Feel free to start up a CDN that offers that. I strongly suspect that it isn't feasible to offer, except as an *expensive* value-added service. – womble Mar 14 '12 at 00:29
  • If CloudFlare can do CDN for free, presumably Amazon is able to block DOS attacks aimed at CloudFront endpoints. – ceejayoz Mar 14 '12 at 02:56
  • I'd rather pay CloudFront slightly more than deal with with DOS on my origin web server. – Erica Kane May 18 '17 at 16:19
  • DoS is different to EDoS. You deploy a proxying, origin-hiding CDN to try and protect against one, and you open yourself up to attack from the other. Wheeeeeee! – womble May 20 '17 at 01:27
2

The answer is a bit dated. In 2017, CloudFront does offer DOS protections through AWS Shield. The Standard tier is offered free to all AWS customers, including CloudFront. For additional features, you can move up to AWS Shield Advanced. From the docs:

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced.

All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications.

For higher levels of protection against attacks targeting your web applications running on Elastic Load Balancing (ELB), Amazon CloudFront, and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced. In addition to the common network and transport layer protections that come with Standard, AWS Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall. AWS Shield Advanced also gives you access to the AWS DDoS Response Team (DRT) and protection against DDoS related spikes in your ELB, CloudFront or Route 53 charges.

AWS Shield Advanced is available globally on all Amazon CloudFront and Amazon Route 53 edge locations. You can protect your web applications hosted anywhere in the world by deploying Amazon CloudFront in front of your application. Your origin servers can be Amazon S3, Amazon EC2, Elastic Load Balancing, or a custom server outside of AWS. You can also enable AWS Shield Advanced directly on Elastic Load Balancing in the following AWS Regions - Northern Virginia, Oregon, Ireland, and Tokyo.

There are also individual network policies available for CloudFront if you like to do things by hand as well.

Erica Kane
  • 123
  • 4
  • I'm not sure this'll kick in on CloudFront-hosted static files. The stated goal is to minimize downtime, not billing. CloudFront can happily serve a billion copies of a 1MB file without incurring downtime (after all, that's the point of it, and a DDOS of this nature just looks like a popular download), but it'll still cost a lot. – ceejayoz May 18 '17 at 19:29
  • It specifically mentions CloudFront. I seriously hope they would use the same techniques to distinguish between popular and DDoS. Particularly something like described in the original post. – Erica Kane May 19 '17 at 19:41
  • What techniques would you use to distinguish between "a million people downloading the latest Ubuntu ISO" and "a million bots downloading the latest Ubuntu ISO"? – ceejayoz May 19 '17 at 19:43
  • Are you saying that a DDoS attack cannot be thwarted? It is difficult surely but not impossible. At least many security companies including AWS claim they can offer help. This is getting a bit off topic though... – Erica Kane May 19 '17 at 19:47
  • 2
    How does AWS shield protect against the question posed: someone making requests just to drive up your hosting bill? – womble May 20 '17 at 01:29
0

Take a look at CloudFlare -- I think it wouldn't be an issue with their CDN in place.

DougN
  • 670
  • 2
  • 7
  • 16
  • CloudFlare costs money for using HTTPS :( – Jonathan Rioux Mar 06 '12 at 12:50
  • 1
    Oh, you're right. But it's a fixed price, not based on usage isn't it? – DougN Mar 06 '12 at 16:05
  • Indeed DougN, but the monthly fees are too high for me :( – Jonathan Rioux Mar 06 '12 at 22:17
  • "CloudFlare costs money for using HTTPS :( – Jonathan Rioux Mar 6 at 12:50" CloudFlare and SSL: If you can't upgrade to Pro to pay for SSL, you can actually move the SSL to a subdomain (if possible) and mark that as something we don't proxy in your CloudFlare DNS settings. We'll alsolikely offer a cheaper option for SSL in the future. The drawback, of course, is that we wouldn't be placing the CloudFlare proxy on the SSL portions of the site. – damoncloudflare Mar 13 '12 at 21:07
  • Cloudflare has a free SSL option now. – Jason Martin Mar 06 '17 at 01:44