Is it possible to avoid costs for invalid requests at AWS S3 or cloudfront during a DDoS attack?
There are many tutorials in the internet, that promote cheap hosting of static websites via AWS S3 + AWS Cloudfront (+ Cloudflare).
Example of these would be:
I was looking at the pricing structure of the AWS services and in case of S3 or Cloudfront, I think it is impossible to limit the costs associated with invalid requests as Amazon is also billing traffic and requests generated by invalid or blocked requests.
Even the usage of Amazon WAF that can block specific ip address ranges should not help you, as the requester should still receive a 'Access Denied' message or something similar.
Invalid requests would entail:
- requests for objects that are not present
- use case "serving private content"
- missing parameters for signed URLs / signed cookies
- wrong IAM / incognito credentials
Pricing (S3 in North-Virginia / Cloudfront USA; 2018-03-25)
---------------------------------------------------------------------------------------
- service - # requests type - pricing -
---------------------------------------------------------------------------------------
- S3 - 1000 PUT/COPY/POST requests - 0.0050 USD -
---------------------------------------------------------------------------------------
- S3 - 1000 GET and other requests - 0.0004 USD -
---------------------------------------------------------------------------------------
- Cloudfront - 10000 HTTP - 0.0075 USD -
---------------------------------------------------------------------------------------
- Cloudfront - 10000 HTTPS - 0.0100 USD -
---------------------------------------------------------------------------------------
Costs of a DDoS attack with invalid requests
-------------------------------------------------------------------------------------------------------------
- requests per second - service - type - costs per day - costs per month -
-------------------------------------------------------------------------------------------------------------
- 200 - S3 (North-Verginia) - POST - 86.400 USD - 2592.00 USD -
-------------------------------------------------------------------------------------------------------------
- 500 - S3 (North-Verginia) - POST - 216.000 USD - 6480.00 USD -
-------------------------------------------------------------------------------------------------------------
- 1000 - S3 (North-Verginia) - POST - 432.000 USD - 12960.00 USD -
-------------------------------------------------------------------------------------------------------------
- 200 - S3 (North-Verginia) - GET - 6.912 USD - 207.36 USD -
-------------------------------------------------------------------------------------------------------------
- 500 - S3 (North-Verginia) - GET - 17.280 USD - 518.40 USD -
-------------------------------------------------------------------------------------------------------------
- 1000 - S3 (North-Verginia) - GET - 34.560 USD - 1036.80 USD -
-------------------------------------------------------------------------------------------------------------
- 200 - Cloudfront (USA) - HTTPS - 17.000 USD - 518.40 USD -
-------------------------------------------------------------------------------------------------------------
- 500 - Cloudfront (USA) - HTTPS - 216.000 USD - 1296.00 USD -
-------------------------------------------------------------------------------------------------------------
- 1000 - Cloudfront (USA) - HTTPS - 432.000 USD - 2592.00 USD -
-------------------------------------------------------------------------------------------------------------
- 10000 - Cloudfront (USA) - HTTPS - 864.000 USD - 25920.00 USD -
-------------------------------------------------------------------------------------------------------------
- 200 - Cloudfront (USA) - HTTP - 12.960 USD - 388.80 USD -
-------------------------------------------------------------------------------------------------------------
- 500 - Cloudfront (USA) - HTTP - 32.400 USD - 972.00 USD -
-------------------------------------------------------------------------------------------------------------
- 1000 - Cloudfront (USA) - HTTP - 64.800 USD - 1944.00 USD -
-------------------------------------------------------------------------------------------------------------
- 10000 - Cloudfront (USA) - HTTP - 648.000 USD - 19440.00 USD -
-------------------------------------------------------------------------------------------------------------
Possible solution: use a CDN?
The proposed solution for this problem specified by some tutorials is to use the free service of Cloudflare CDN that can handle all these requests by serving them a cached result from AWS S3 or AWS cloudfront.
The only problem, that still persists with this solution is, that one can still generate as much invalid requests as (s)he pleases.
Examples:
www.flare-example.com/iza7648hklto
www.flare-example.com/dsatnygp4851021
...
In that case the attacker can still reach the origin with as many invalid requests as (s)he likes as Cloudflare will have a cache miss each and every time.
Now at last to my question:
Can you only escape from these costs during a DDoS attack by deleting your cloudfront distribution or S3 bucket as fast as possible?
Or did I make a mistake on the pricing structure of AWS?
Очень интересный анализ. Единственный способ предположить - это строго контролировать трафик, а также стоимость. Кроме того, можно взглянуть на расширенный AWS Shield. Несмотря на то, что есть дополнительные ежемесячные расходы, они несут расходы на масштабирование из-за DDOS.
AWS Shield Advanced обеспечивает «защиту от DDoS-атак», функцию который защищает ваш счет AWS от EC2, Elastic Load Balancing (ELB), Скачки использования Amazon CloudFront и Amazon Route 53 в результате DDoS-атака.