How can I protect my public images hosted on GCS from ddos attacks?
Does Google provide any protection, or should I pay for the bandwidth used by that attack?
Asked
Active
Viewed 5,974 times
9
-
How do you access your GCS? GAE has a "ddos.xml" you can setup to block certain IPs/ranges. And that's on top of Google's defense (I'm confident they have something setup themselves on top of that system) – Patrice Feb 25 '15 at 20:14
-
1I use compute engine to upload objects (mostly images) and then set permission to public-read. And then share the public url (googleapis.com) I'm sure google has some sort of DDoS mitigation against serious attacks. But since google cloud networking is very expensive I'm worried about smaller attacks that aren't a real attack but still could make our startup pay a lot of money to google! – Sed Feb 25 '15 at 22:48
-
Inbound traffic is not billed on Amazon EC2. Has google followed this same model? If so, you run no risk of extra billing from malicious traffic that you effectively do not respond to. Sorry I can but more specific for Google, but hope this points you in the right direction. – Dan Armstrong Feb 25 '15 at 23:31
-
If you're using compute engine, then no there's no intrinsic DDOS in it. App Engine has what I mentioned before. I say like Dan though, that you should not be charged for inbound traffic. If you do serve your website from a bucket, then yes, these "small DoS" attacks might slip through, and since they will show up as outbound traffic for you, you will pay for them. I do think you can file a billing request to have part of it credited IF you can prove it was a DoS attack (don't quote me on that last part though, I never had to do it) – Patrice Feb 27 '15 at 18:24
2 Answers
3
Your question is more about budget control rather than DDOS attacks. Rest assured that Google will protect GCS serving infrastructure from any real DDOS threat, so you do not need to take any additional steps here.
If your concern is that someone may start draining your budget on purpose by bulk downloading your content, you should not make it public in the first place.
You can take different approaches to serve non-public content from GCS to your end-users. Just to get you started, check this out:
PrecariousJimi
- 1,552
- 9
- 16
-
1"...you should not make it public in the first place". Honestly, no offense intended (no really) but this sounds really weird to me and I can't figure out which of my assumptions it disagrees with. Are you saying that, A) GCS should not be used for publicly accessible images, B) any entity using it for images should be able to absorb unexpectedly large costs, C) there are some entities/usages of publicly accessible images where it is guaranteed that no one will do this bulk download..., D) ...people shouldn't worry about very unlikely things? What am I missing? – cesoid Oct 20 '21 at 16:25
1
In DDoS attacks on Google Cloud storage, the attackers make use of multiple resources to arrange the large-scale attacks against the targets. Here are some steps to take to mitigate denial of service attacks on cloud storage:
• Try to isolate your internal traffic from external data
• You can enable the DDoS protection by enabling the Proxy based Load Balancing
• Secure the deployment using network fire rules and Identity access management
• Protect the Google cloud storage with CDN offloading
• Deploy the third party DDoS protection solutions
Google just released new security features, which should lessen the risk. Don't forget the importance of a solid disaster recovery plan. Regular snapshots and clear plans for what to do in an attack will lessen the impact to your business.
Dina Kaiser
- 131
- 3