I am learning web development and I am using Firebase as my backend. I am planning on preventing bots from brute force attacks which will rack up my firestore bill by:
- Only allowing logged in users to write to the database with security rules.
- Using Firestore & security rules to only allow a certain amount of writes per second per user. If the user goes over this amount they will be banned for a certain time period.
Will these 2 security measures stop most bot attacks?
Also I was looking at the pricing for hosting and I saw it costs $0.15 per 1 GB of data transferred.
My entire web application is only about 5 mb of data, but that means if my web application is loaded 1,000 times then it would cost me 5 mb * 1,000 = 5 GB * $0.15 = $0.75 which I can handle. But let's say someone got a bot to re-load the page 1,000,000 times then it would cost me 5 mb * 1,000,000 = 5,000 GB * $0.15 = $750. Obviously $750 is a lot of money and I can't handle that.
How do I prevent bots from re-loading my page multiple times and racking up my hosting bill? I can't use the listed strategy above because I want users who don't have an account to still be able to view my website.
CodePudding user response:
First, a few clarifiers…
Cost of FB hosting is $0.15 per GB after you have exceeded the free usage of 10GB/month.
Your entire application may be 5MB but that is likely not the amount of data transmitted unless you missed a build step. In a React app, resources are loaded only as needed. Responses are then even further compressed by Firebase to save bandwidth.
Assets are generally cached and not reloaded on subsequent page views. It’s a bit more nuanced with bots but this helps keep data transfer rates down overall.
Now to your question…
Mitigating repeat page visits the way you describe is handled mostly through rate limiting. This limits the number of requests to your site in a given period.
Implementing Google Analytics can also help in detecting bot traffic by reporting unusual bursts of activity.
You could also use a CAPTCHA to reduce bot attempts to log in or submit other form data.
Two-factor auth is another good tool in preventing brute force attacks.
Finally, I would suggest creating budget alerts for your project. This is easy to do and highly customizable. You can even set it for $1 if you wish. It will not stop your project automatically, only send you an email. But if handled quickly, it will save you from getting an even bigger bill.