5

I developed an open source library and hosted its assets on Amazon S3 (CSS, JS), these files were used in demo via URLs like: http://my_bucket_name.s3.amazonaws.com/some-file.js (my bad, I know). Without my permission, some websites started hot-linking these files.

It was fine for a while, but recently a few large NSFW sites hot-linked it and I get tens of millions GET requests in a month. So I deleted/moved these files, but I still get a lot of GET requests that return 403 errors, and Amazon bills them as a valid requests (see Charge Details section).

  • I tried contacting sites that hotlinked my library, but never got any reply.
  • I'm worried that if I delete the bucket "my_bucket_name", someone else might create it with the same name and hotlink malicious JS files.

What should I do to avoid getting billed for error requests that I don't make?

M. Glatki
  • 1,964
  • 1
  • 17
  • 33
Marvin3
  • 151
  • 4
  • Why did you enable requester pay ? Maybe you could turn that bucket to private using bucket policy. / an advice always use proxy front s3 so you can manage your requesters and block bad ones. – pmoksuz Oct 09 '16 at 07:24
  • Are you sure that modifying bucket policy would make any difference? All files in a bucket are already private or deleted and no one can access them. Yea, I know that I should've used proxy in front of s3, but I didn't... Thank you for reply. – Marvin3 Oct 09 '16 at 07:43
  • 1
    Just nuke the whole bucket. That'll put a stop to it. – Michael Hampton Oct 09 '16 at 07:50
  • @MichaelHampton, as I originally posted - if I delete the bucket, someone else might create it with the same name and hotlink malicious JS files, I don't want that. – Marvin3 Oct 09 '16 at 07:55
  • 1
    Once you delete the bucket it's not your problem any more. S3 will send 404 responses and people will stop using it, the problem will go away. – Tim Oct 09 '16 at 08:03
  • 2
    And you aren't responsible for maintaining other people's web sites. – Michael Hampton Oct 09 '16 at 08:40
  • Yea it seems not working. Maybe you should delete bucket , announce for reqesters. https://forums.aws.amazon.com/thread.jspa?messageID=58436 – pmoksuz Oct 09 '16 at 09:22

1 Answers1

1

You can either:

  • Delete the bucket
  • or disable static website access to the bucket and keep the bucket. Then use a new bucket.

You might want to add a policy to this bucket to restrict the access to the bucket, e.g. Restricting Access to a Specific HTTP Referrer

M. Glatki
  • 1,964
  • 1
  • 17
  • 33