I attacked myself with Google Spreadsheets (2012)
2 days ago
- #Denial-of-Service
- #AWS
- Received an unexpected AWS billing alert for $720.85, far above the usual $100 monthly charges.
- Logged in to find actual charges of $1,177.76, with $1,065 from 8.8 TB of outgoing bandwidth, increasing by $50-$100 per hour.
- Identified the source as an S3 bucket named 't_4e1cc9619d4aa8f8400c530b8b9c1c09', generating 250 GB of outgoing traffic per hour.
- Enabled S3 logging and discovered the traffic originated from Google's Feedfetcher, not the typical Googlebot, with requests from multiple IPs.
- Realized the cause was a personal Google Spreadsheet using the =image(url) function to display thumbnails of all images in the bucket.
- Understood that Feedfetcher, fetching private URLs for Google services, ignores robots.txt and does not cache, causing repeated hourly downloads.
- Google did not rate-limit requests to s3.amazonaws.com due to its massive scale, exacerbating the traffic surge.
- Resolved the issue by removing the spreadsheet and making the S3 bucket private, though it led to a costly mistake.
- Reflected on the irony: AWS's resilience against denial-of-service attacks can be exploited by making services expensive to run.
- Recognized a potential attack vector: using Google services to launch untraceable denial-of-service attacks via repeated fetching of URLs.
- Amazon refunded the bandwidth charges, deeming the activity accidental.