Is it possible to avoid costs for invalid requests at AWS S3 or cloudfront during a DDoS attack?

There are many tutorials in the internet, that promote cheap hosting of static websites via AWS S3 + AWS Cloudfront (+ Cloudflare).

Example of these would be:

  • Host a website using S3, CloudFront and CloudFlare
  • How to host a website on S3?


I was looking at the pricing structure of the AWS services and in case of S3 or Cloudfront, I think it is impossible to limit the costs associated with invalid requests as Amazon is also billing traffic and requests generated by invalid or blocked requests.

Even the usage of Amazon WAF that can block specific ip address ranges should not help you, as the requester should still receive a 'Access Denied' message or something similar.


Invalid requests would entail:

  1. requests for objects that are not present
  2. use case "serving private content"
    • missing parameters for signed URLs / signed cookies
    • wrong IAM / incognito credentials

Pricing (S3 in North-Virginia / Cloudfront USA; 2018-03-25)

---------------------------------------------------------------------------------------
- service      -   # requests type                         -           pricing        -
---------------------------------------------------------------------------------------
- S3           -   1000 PUT/COPY/POST requests             -         0.0050 USD       -
---------------------------------------------------------------------------------------
- S3           -   1000 GET and other requests             -         0.0004 USD       -
---------------------------------------------------------------------------------------
- Cloudfront   -   10000 HTTP                              -         0.0075 USD       -
---------------------------------------------------------------------------------------
- Cloudfront   -   10000 HTTPS                             -         0.0100 USD       -
---------------------------------------------------------------------------------------


Costs of a DDoS attack with invalid requests

-------------------------------------------------------------------------------------------------------------
- requests per second      -   service              - type    -  costs per day     -  costs per month       -
-------------------------------------------------------------------------------------------------------------
- 200                      -   S3 (North-Verginia)  - POST    -    86.400 USD      -      2592.00 USD       -
-------------------------------------------------------------------------------------------------------------
- 500                      -   S3 (North-Verginia)  - POST    -   216.000 USD      -      6480.00 USD       -
-------------------------------------------------------------------------------------------------------------
- 1000                     -   S3 (North-Verginia)  - POST    -   432.000 USD      -     12960.00 USD       -
-------------------------------------------------------------------------------------------------------------
- 200                      -   S3 (North-Verginia)  - GET     -     6.912 USD      -       207.36 USD       -
-------------------------------------------------------------------------------------------------------------
- 500                      -   S3 (North-Verginia)  - GET     -    17.280 USD      -       518.40 USD       -
-------------------------------------------------------------------------------------------------------------
- 1000                     -   S3 (North-Verginia)  - GET     -    34.560 USD      -      1036.80 USD       -
-------------------------------------------------------------------------------------------------------------
- 200                      -   Cloudfront (USA)     - HTTPS   -    17.000 USD      -       518.40 USD       -
-------------------------------------------------------------------------------------------------------------
- 500                      -   Cloudfront (USA)     - HTTPS   -   216.000 USD      -      1296.00 USD       -
-------------------------------------------------------------------------------------------------------------
- 1000                     -   Cloudfront (USA)     - HTTPS   -   432.000 USD      -      2592.00 USD       -
-------------------------------------------------------------------------------------------------------------
- 10000                    -   Cloudfront (USA)     - HTTPS   -   864.000 USD      -     25920.00 USD       -
-------------------------------------------------------------------------------------------------------------
- 200                      -   Cloudfront (USA)     - HTTP    -    12.960 USD      -       388.80 USD       -
-------------------------------------------------------------------------------------------------------------
- 500                      -   Cloudfront (USA)     - HTTP    -    32.400 USD      -       972.00 USD       -
-------------------------------------------------------------------------------------------------------------
- 1000                     -   Cloudfront (USA)     - HTTP    -    64.800 USD      -      1944.00 USD       -
-------------------------------------------------------------------------------------------------------------
- 10000                    -   Cloudfront (USA)     - HTTP    -   648.000 USD      -     19440.00 USD       -
-------------------------------------------------------------------------------------------------------------


Possible solution: use a CDN?

The proposed solution for this problem specified by some tutorials is to use the free service of Cloudflare CDN that can handle all these requests by serving them a cached result from AWS S3 or AWS cloudfront.

The only problem, that still persists with this solution is, that one can still generate as much invalid requests as (s)he pleases.

Examples:
www.flare-example.com/iza7648hklto
www.flare-example.com/dsatnygp4851021
...

In that case the attacker can still reach the origin with as many invalid requests as (s)he likes as Cloudflare will have a cache miss each and every time.


Now at last to my question:

Can you only escape from these costs during a DDoS attack by deleting your cloudfront distribution or S3 bucket as fast as possible?

Or did I make a mistake on the pricing structure of AWS?


Very interesting Analysis. Guess only way is to have strict monitoring on traffic and also cost. In addition may be have a look at AWS Shield advanced. Even though there is additional cost per month, they will obsorb Scaling charges due to DDOS.

With AWS Shield Advanced, you get "DDoS cost protection", a feature that protects your AWS bill from EC2, Elastic Load Balancing (ELB), Amazon CloudFront and Amazon Route 53 usage spikes as a result of a DDoS attack.

https://aws.amazon.com/shield/