Join Log in
Score:5
cr001 avatar Server

How does network pricing work exactly in cloud platforms? And how should I avoid dedicated pricing attacks?

tr flag
cr001

I am pretty new to cloud platform infrastructures. For the sake of discussion simplicity, let's say the only two platforms I am discussing are AWS and Google Cloud.

Now say I have an HTTP server that mainly handle HTTP response through an open API for an online game. Let's say the average response size is 10KB and there will be around a million responses being sent per day.

Based on my understanding the monthly price depends on the amount of data transferred in terms of GB. Now my problem is that if someone writes a script that keeps getting response from my server repeatedly the price will just grow to sky high.

I am sure any good server avoids this problem but I am not sure how exactly is this problem avoided. Based on my observation, many real life large online-game API servers do not optimize their response size when its just a few KBs. There must be some kind of "fixed monthly payment or payment based on the amount of data transferred per second" thing happening that does not depend on the amount of data transferred.

However I simply just couldn't find any reference on the platform websites for such options.

Any help would be appreciated.

947
0 + 0
gb flag
Navin
“payment based on the amount of data transferred per second” is called “95 percentile billing” and that’s how wholesale IP transit is sold. However, none of the big cloud providers have public pricing for it. Pricing is a major reason why people still rent cabinets at a colocation facility instead of using cloud services. Btw most cloud providers only charge for outbound data so the attacker can’t just send random packets. If you had a magic oracle that told you which incoming packets are bad, you could choose not to respond to them. Real implementations have loads of tradeoffs.
0
Reply
Score:7
Anubioz avatar Server
us flag
Anubioz

Cloud services provide awesome benefits for projects, which are specially built for using them. If we are talking about application/web hosting, then cloud pricing models suit businesses, which acquire their main income from users, who use said application/web-site.

Unless that is your main source of income (in which case you should easily convert between raw web traffic and profits), then cloud hosting might not suit you at all.

Keep in mind that if your application was not built for cloud infrastructure (like the said game server), you won't have any benefits over single-instance VPS/Dedicated hosting, unless you spent some amount of time doing devops work. The same devops work is needed to effectively prevent attack on your bandwidth you described.

Since that kind of attack has already got a name - you can find some more or less viable advises by searching for "Denial of Wallet"

0 + 0
cr001 avatar
tr flag
cr001
Thank you for the answer. If I assume the main source of income is indeed user, is it the case that such"Denial of Wallet" attack does not make my cost much higher than the income? If it is the case how much the income will need to be to make such an attack ineffective in terms of income ratio?
0
Reply
Anubioz avatar
us flag
Anubioz
Well, usually applications are made that way, that it would be pretty hard to just exhaust them by traffic alone. The easiest way to prevent such abuse would be rate limiting requests with something like nginx. And for those who really count every penny, there are companies, which claim to provide just those means to control every bit of traffic and its costs, while still using GCP. Not sure if its a good courtesy to point to an actual commercial products, but you shoud search for something like "Cloud Volumes ONTAP alternatives" to get an understanding what those companies offer
0
Reply
cr001 avatar
tr flag
cr001
"that you it would be pretty hard to just exhaust them by traffic alone" Can you elaborate a bit more on what "exhaust" mean? Does that mean financially? If true does that mean keep getting 10KB/s response from a single home network for a month will only have minimal effect on the server total price?
0
Reply
Anubioz avatar
us flag
Anubioz
10 kb/s would be 24 GB/month, which would in the worst case cost you around $6.25. And since cloud computing is by all means the opposite thing of something that can save you money, you should be absolutely prepared to easily pay that sum. In no way you can ever ever save money by using cloud computing (unless you're running some niche applications like f.e. irc bot (in which case it indeed may be near free to run on gcp). any other use case would definitely cost less with a single instance vps)
0
Reply
John Hanley avatar
cn flag
John Hanley
The cloud has actually made many things cheaper. In the **old** days (year 2000), a single T-1 was $1,500 per month. We could not imagine the speeds and pricing that we have today. The raw cost of cloud computing is one component of total costs. Often personnel cost an order more than the resources they manage. When deploying a system, a cost analysis is performed, a risk analysis is performed, etc. Since you are concerned about networking costs, hit the books and learn networking self-defense 101.
0
Reply
Score:3
avatar Server
mx flag
Austin Hemmelgarn

On the server side, the ways to avoid this are:

  • Require authentication for requests. IOW, make it such that you can track down who is making such attacks, and make such attacks a bannable offense. Then properly lock down your account creation so that it’s not easy to get new credentials after you get banned.
  • Implement rate limiting. Usually this is done in multiple stages, often rate-limiting per authenticated account (so any user has a rate limit), per API endpoint (so computationally expensive endpoints that don’t get called very often can’t be easily abused for DoS attacks), and possibly overall per IP. You should be doing this for other reasons (most notably protecting against smart DoS attacks and the possibility of timing-based attacks on the game logic).
  • Utilize good compression in the protocol. For your stated response size, Brotli is probably worth looking into (or possibly snappy or LZ4), it should be fast enough to meet your performance needs but still shave a few kB off of the response size, and at the point of dealing with millions of requests per month, that’s a nontrivial amount of data saved.

As far as mitigating it elsewhere, that’s not as easy to do. Full cloud providers like what you are talking about often provide some minimal ‘free tier’ to let developers easily experiment without costing an arm and a leg. I think for AWS it’s 5GB per month outbound (they don’t charge for inbound data at all) for example. That’s as close as you can get in such a full cloud setup to block usage as you are talking about, because most users will benefit from having exact usage prorated as opposed to buying in ‘chunks’.

If you really want a big chunk though, look into AWS Lightsail. There, you buy a package deal of a virtual node that includes some fixed number of CPUs, fixed amount of RAM and integrated storage, and a specified network usage cap. Network usage below that cap in a billing cycle costs nothing, while above is prorated just like in a full cloud setup. I do not know if GCP has an equivalent, but most VPS providers (such as Vultr, Linode, or Digital Ocean) work the same way for their primary offerings and I would actually suggest looking there instead if you go this route. The network caps on these are usually in the multi-terabyte range, and the norm is that only the direction that has higher usage gets tracked for accounting.

0 + 0
Score:3
John Hanley avatar Server
cn flag
John Hanley

Neither cloud vendor offers XX bandwidth at a fixed price. Pricing is consumption based.

You are responsible for controlling client access to your resources.

This means deploying authentication or throttling or other technologies but you choose how and with what products.

Cloud services are much like building a house. Home Depot does not give you unlimited nails and lumber. You purchase what you need to build your house. You then purchase fuel to heat your home.

I have been working in the cloud since day zero. Before that private data centers. Your concern is possible, but in the real world, it does not happen enough to stop most of us from deploying in the cloud. In order to consume your bandwidth, I need to consume my available network bandwidth. If a hacker wants to take you down, there are many more painful methods they can deploy that are a lot cheaper for them and that are more difficult to track who/where they are located.

0 + 0
cr001 avatar
tr flag
cr001
Thank you for the answer but I am still unclear. Based on my understanding home networks can be contracted via fixed bandwidth per month. So if the purpose of the attacker is to cause the server "total amount of data per month" to increase, he can send not so concentrated data but send consistently over a month. How is this avoidable? As for the authentication case, there are real-corporate high profile servers that I myself can even get the server response now for some API so I don't thin that's how they solve the issue.
1
Reply
Anubioz avatar
us flag
Anubioz
Absolute majority of customers don't need that kind of limits (since they use cloud exacly because it can provide MORE & FASTER download speeds for endusers). Those who some reason want to limit bandwidth instead of getting an unlimited traffic vps (which IS certainly a much better way for them to reach their goals), can easily do that with the means of iptables/tee/htb in their instance themselves
1
Reply
cr001 avatar
tr flag
cr001
Thank you. Does that mean even if a single "bad hacker" person keeps sending get response script (say get 10KB data per second) for a month via a home network, it won't affect much the total price for those majority of customers?
0
Reply
cr001 avatar
tr flag
cr001
One example of such script I found is https://github.com/thesadru/genshinstats for a large real life game called Genshin Impact. I am just wondering why there isn't any rival company personnel attacking this game via the method I mentioned. It must be ineffective whilest the API is totally publicly accessible (there are cookies needed but that's obtainable for anyone).
0
Reply
Anubioz avatar
us flag
Anubioz
It seems that you got a preconception, that cloud computing is a service, which only a couple of IT-giants provide, but actually if you care about traffic that much, but still want to have CDN, you can easily (and I mean in a day or two of work) get yourself a private kubernetes kluster running on VPS-es with unlimited traffic all around the world. All it takes is signing up for a cheapest unlimited traffic hosting in every country you want and then issuing a single ansible/terraform command to get it running. [More info](https://kubernetes.io/docs/setup/production-environment/tools/_print/)
2
Reply
cr001 avatar
tr flag
cr001
Sorry if I did not state clearly. I myself actually don't really care about traffic that much but am just curious about why the kind of attack I mentioned do not work for large company servers. The two premises assumed to be true and I believe are true are: (1) those companies have a lot of rivalries with other companies (2) their server APIs are publicly available to get HTTP responses.
0
Reply
Anubioz avatar
us flag
Anubioz
Nah, if you was a large company, you definitely would had been able to get a LIR status and your own AS-number along with some peers around the world, which would have made traffic essentially free for you. But since nowadays anyone can get their private kubernetes cloud running, anyone can nullify their traffic costs. There is no problem with not paying for the traffic. The reason why people pay for traffic is not because they got no other choice, but because GCP/AWS has really reliable and fast network (which in absolute majority of cases is faster that the one you can get for free)
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.