I was wondering if Firestore has internal mechanism to block requests similar to DDOS to prevent surprise surge in costs, or has a feature for owners to put limits on max requests/charges.
For instance, assume that there is a collection in Firestore which is accessible as long as a user is logged in in my application.
If an attacker creates around 100 user accounts, and writes a script which gradually and continuously access one entry from the collection with around 10~50tps each from different computers (e.g. 100 random compute instances, 1 for each user), the total number of read access per day can go over 216 million requests.
(100 users * 25 avg TPS * 86400sec/day) = 216 million.
This translates to around $129 dollars/day, with current pricing unit of $0.06/100k requests.
If attacker uses list
request and access 10 items at once instead of just a single item, the charge can go up to $1290/day. If one of the collection allows users to query up to 100 records at once, this can become $12900/day.
I might be too paranoid about this, but I want to avoid facing $10k surprise bill which accumulated overnight and learn about it in the morning when I wake up. I know that chance of this attack happening is low, but it still seems possible for any attacker to execute it if wanted.
Because of this risk, I wouldn't ever want to expose my Firestore collection directly to client sdks (e.g. set all read/write security rules to false), and would rather want to use custom made endpoints & Firebase Admin SDK to control rate limits... but this just loses all advantages of available client sdks for reduced latency and ease in developments.
Does Firestore have some form of mechanism to prevent this kind of issue from happening? Or does it allow rate-limiting requests similar to max read/write capacity limits in AWS dynamoDB?
Security & Protection While Firebase does have a CDN, it doesn't offer you distributed denial of service attacks (DDoS) prevention, web application firewall (WAF), or rate-limiting. All of these are incredibly important to prevent malicious actors from breaking your system or stealing your data.
As a default Firebase database has no security, it's the development team's responsibility to correctly secure the database prior to it storing real data. In Google Firebase, this is done by requiring authentication and implementing rule-based authorization for each database table.
Cloud Firestore, as a standalone product, doesn't have any rate limiting by default. Google Cloud Platform, as a whole, has configurable billing alerts that apply to your entire project. (All Firebase projects are also Google Cloud Platform projects.)
If you have a surprise bill that can't be explained, contact Firebase support for help resolving that.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With