5

I developed an open source library and hosted its assets on Amazon S3 (CSS, JS), these files were used in demo via URLs like: http://my_bucket_name.s3.amazonaws.com/some-file.js (my bad, I know). Without my permission some websites started hot-linking these files.

It was fine for a while, but recently a few NSFW sites hot-linked it and I get tens of millions GET requests in a month. So I deleted/moved these files, but I still get a lot of GET requests that return 403 errors, and Amazon bills them as a valid requests (see Charge Details section).

What should I do to avoid getting billed for error requests that I don't make?

Thank you for advice.

Marvin3
  • 151
  • 4
  • 1
    Have you tried contacting the sites' owners and having a word with them about it? Finally you can modify the hosted library and insert a harmless message (an `alert()` or similar) that says to not hot-link the files. It's not payback nor malicious, just a friendly reminder. – André Borie Oct 03 '16 at 07:08
  • This sounds like a question for AWS Support. It would stand to reason that they may have a way to "retire" a bucket name in extenuating circumstances if they deem this such, but otherwise, yes, any unused bucket name can be picked up by anyone else, who could then activate logging and create their own content to match the requests. Injecting malicious content isn't going to do anything productive or "make them pay." Sure, savor that thought, because it's delicious... but then let it go. – Michael - sqlbot Oct 03 '16 at 07:25
  • every thing worth trying, but with such a huge traffic it is either the link has been indexed by major search engines for some keyword, or most of those requests are scripted/automated malicious by nature and in both of these cases doubtful if being friendly would help. – Yuri Oct 03 '16 at 07:28

1 Answers1

1

About deleting the bucket - you're right, if someone else creates the bucket with the same name it will get all your traffic. As you don't want to delete the bucket to prevent abuse - I think it is best to open the ticket with them and see their stance on that. If they care, great - they will find a solution, if they don't - why should you pay for their ignorance ? In my dealings with their support regarding (other) security/abuse related topics they actually were quite responsive and helping.

Yuri
  • 117
  • 3
  • Thank you for reply. It's some kind of network of hentai sites and all the contact information is hidden, no valid contact info in whois too. – Marvin3 Oct 03 '16 at 07:27