How to prevent DDoS attack on Google Cloud Storage

How can I protect my public images hosted on GCS from ddos attacks?

Does Google provide any protection, or should I pay for the bandwidth used by that attack?

Your question is more about budget control rather than DDOS attacks. Rest assured that Google will protect GCS serving infrastructure from any real DDOS threat, so you do not need to take any additional steps here.

If your concern is that someone may start draining your budget on purpose by bulk downloading your content, you should not make it public in the first place.

You can take different approaches to serve non-public content from GCS to your end-users. Just to get you started, check this out:

• GCS Access Control and GCS Signed URLs specifically
• Restricting files from Google Cloud Storage to the users that have authenticated with my Google App Engine app?
• Google Cloud Storage - Limit Access Token to Single Bucket

In DDoS attacks on Google Cloud storage, the attackers make use of multiple resources to arrange the large-scale attacks against the targets. Here are some steps to take to mitigate denial of service attacks on cloud storage:

• Try to isolate your internal traffic from external data

• You can enable the DDoS protection by enabling the Proxy based Load Balancing

• Secure the deployment using network fire rules and Identity access management

• Protect the Google cloud storage with CDN offloading

• Deploy the third party DDoS protection solutions

Google just released new security features, which should lessen the risk. Don't forget the importance of a solid disaster recovery plan. Regular snapshots and clear plans for what to do in an attack will lessen the impact to your business.