Reputation: 17486
Does Firestore have internal mechanism to protect app from excessive $ charge from DDOS requests?
I was wondering if Firestore has internal mechanism to block requests similar to DDOS to prevent surprise surge in costs, or has a feature for owners to put limits on max requests/charges.
For instance, assume that there is a collection in Firestore which is accessible as long as a user is logged in in my application.
If an attacker creates around 100 user accounts, and writes a script which gradually and continuously access one entry from the collection with around 10~50tps each from different computers (e.g. 100 random compute instances, 1 for each user), the total number of read access per day can go over 216 million requests.
(100 users * 25 avg TPS * 86400sec/day) = 216 million.
This translates to around $129 dollars/day, with current pricing unit of $0.06/100k requests.
If attacker uses list request and access 10 items at once instead of just a single item, the charge can go up to $1290/day. If one of the collection allows users to query up to 100 records at once, this can become $12900/day.
I might be too paranoid about this, but I want to avoid facing $10k surprise bill which accumulated overnight and learn about it in the morning when I wake up. I know that chance of this attack happening is low, but it still seems possible for any attacker to execute it if wanted.
Because of this risk, I wouldn't ever want to expose my Firestore collection directly to client sdks (e.g. set all read/write security rules to false), and would rather want to use custom made endpoints & Firebase Admin SDK to control rate limits... but this just loses all advantages of available client sdks for reduced latency and ease in developments.
Does Firestore have some form of mechanism to prevent this kind of issue from happening? Or does it allow rate-limiting requests similar to max read/write capacity limits in AWS dynamoDB?
Upvotes: 18
Views: 2431
Answers (1)
Reputation: 317740
Cloud Firestore, as a standalone product, doesn't have any rate limiting by default. Google Cloud Platform, as a whole, has configurable billing alerts that apply to your entire project. (All Firebase projects are also Google Cloud Platform projects.)
If you have a surprise bill that can't be explained, contact Firebase support for help resolving that.
Upvotes: 3
Related Questions
- How to stop bots from racking up your firebase bill on a web app?
- Securing Google Firebase from DDOS / attackers and prevent surprise bills
- Does Firebase Firestore have measures to stop malicious requests?
- Are we charged for failed Firestore transactions
- How to limit number of document reads from a humongous collection in firestore when some malicious user queries the data?
- Can I limit number of reads/writes from user IP per minute/day in firestore?
- Protect Firestore database from attack
- Is Firestore charging us when offline more than 30 minutes?
- Is it possible to Control a flood in Firebase