0

I have been checking online and saw that firebase has DDOS protection but I wonder, what if someone basically spammed my app? Here is the idea. Let's say that I serve images of total size 5mb once and cache the images locally on the device. The rival company hired 100 people to download these images through several phones and deleted the cache to redownload them 1000 times an hour for 8 hours a day for 5 days. That would pretty much make sure that I owe a lot of money to firebase and would make me in dept for long enough to lose my business and go bankrupt. Is there a default protection in firebase for this? I have checked but I couldn't find anything solid. I'm very afraid of being attacked like this and ending up in trouble. Any help would be greatly appreciated! Thank you.

Ps. I have security rules checked and ready and my firebase app only accepts request from my Sha1 signed Android app. These images are served to every single user that uses my app since they are signed in as an anonymous user.

cs guy
  • 926
  • 2
  • 13
  • 33
  • 1
    Check out https://stackoverflow.com/questions/24830079/firebase-rate-limiting-in-security-rules. You can try to adapt it to work via IPs. – KTibow Sep 25 '20 at 00:25
  • I decided to go with a server on digital ocean + strapi. – cs guy Sep 26 '20 at 20:37

1 Answers1

0

what if someone basically spammed my app?

Then you would be charged for that usage.

Is there a default protection in firebase for this?

No.

What you're describing is a risk that you take when you deploy any publicly accessible service in the internet. Either your custom hardware is overwhelmed and your app shuts down, or you pay your cloud hosting provider for the resources uses as it expands to handle the load (as it should).

You can register to get budget alerts when billing crosses some threshold if you want to shut things down yourself. You'll have to figure out for yourself whether or not it's worthwhile to shut it down.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • I really appreciate firebase and the team but more security is what firebase needs imo. It is so easy to trick firebase to Bill people more. I don't know if this is intended lol but this kind of ruins the whole point of using firebase. If someone can just spam me and bill me $10k, why would I have the risk to use firebase? – cs guy Sep 25 '20 at 10:11
  • You are free to choose whatever cloud provider and tools that meet your specific needs. If Firebase is not that, then I suggest looking elsewhere. – Doug Stevenson Sep 25 '20 at 16:14
  • Yes that is true but learning it when you are half finished with your project isn't very cool as firebase forces their sdk on your client side code. This is a topic that you would need to dig in to find. It isn't mentioned anywhere unless you look for it. I'm not blaming anyone but for me it's very shady that Google provides bare minimum spam support and they use "pay as you go" and you need to bind their sdk inside your app which partly moves server side logic to client side. – cs guy Sep 25 '20 at 17:34
  • I understand. There's really nothing Stack Overflow can do for you on this point. If you have feedback about Firebase, send that to Firebase support. https://support.google.com/firebase/contact/support – Doug Stevenson Sep 25 '20 at 17:49