If you could drop me a PM with further information, we'll look into this.
I'm sure we can get you funding from somewhere.
[QUOTE=_Undefined;52781574]The cost came from data-out transfer from S3, so it's somebody or a group purposefully downloading files to ramp up my bill. There's ~360GB stored and 5TB of traffic was used on just Friday. The 13th. Unlucky for some eh.
The reason I know it's malicious is that if it were real traffic I'd see an increase in ad revenue to match the increased bandwidth used.[/QUOTE]
5TB?
Damn, and S3 gouges you with the bandwidth pricing.
Your best bet if you need to move a lot of data are cheap VPS and dedicated servers in Texas and Nebraska, things like 10TB/Mo for less than $100 a month, 1/5 your S3 bill.
In Europe OVH has always looked fairly competitive with bandwidth.
I'll explain the technical stuff behind how the files are stored so it makes sense how this happened.
I'm hosting the site on a DO VPS. The files are transferred to and stored on S3. I'm using a subdomain of files.garrysmods.org for S3, which is going through Cloudflare (with caching enabled) to use less bandwidth on S3.
When a user downloads a file, I redirect them straight to the file on S3. The reason for that is Cloudflare will cache the majority of download requests their side, and my S3 receives less hits. Using Pre-Signed URLs for the downloads (which could be used prevent abuse) would bypass Cloudflare and hit S3 directly every time.
Here's the Cloudflare usage. You can see that the bandwidth on the 13th was nothing spectacular.
[img]https://i.imgur.com/D8bePqY.png[/img]
Here's the S3 usage.
[img]https://i.imgur.com/6W0CazZ.png[/img]
Here's where it gets interesting - I have a policy on the S3 bucket that only allows downloads from Cloudflare IP addresses. That means that if you browsed or tried to download the file directly from S3, you'd get an access denied error.
The only way I can think to bypass that is to make traffic come from Cloudflare. How can you do that? Easy - just duplicate my setup of files.garrysmods.org with a different domain and point it at my S3 bucket. That would make the traffic not show in my Cloudflare analytics but the traffic still comes from their IP addresses.
Somebody malicious could have figured out that setup from [url=https://facepunch.com/showthread.php?t=1456612&p=50454933&viewfull=1#post50454933]my previous post[/url].
The only real way to resolve this is to protect the S3 bucket completely and use Pre-Signed expiring requests for each download and limit what users can download per month. I'll implement that and get the site back up shortly.
In hindsight, the process is insecure, but at the same time, I built a platform for the community to use, share files and revive something that people wanted. I spent my own time and money on it and didn't really expect it to be abused.
[QUOTE=Hezzy;52781643]If you could drop me a PM with further information, we'll look into this.
I'm sure we can get you funding from somewhere.[/QUOTE]
Thank you, I'll shoot you a PM.
This really sucks.... When I first started Lua I used that site to upload my shitty scripts, was a strong origin point for me. Well, like you said, was good while it lasted.
Wow that's awful. I was just using this site yesterday for my gmod server. Is there anyway to track who did this? Or was it through a VPN?
[QUOTE=Vilusia;52782107]Wow that's awful. I was just using this site yesterday for my gmod server. Is there anyway to track who did this? Or was it through a VPN?[/QUOTE]
If it was going through Cloudflare (based on _Undefineds' description of their setup it would have to), probably not. Cloudflare would hide all of that if I recall (though I've not played with the service that much) as it's a platform that sits between your service and the user to cache things and provide a security layer. It'd be kinda daft for Cloudflare to expose information about the user in the network requests from a security standpoint.
[QUOTE=_Undefined;52781830]
Here's where it gets interesting - I have a policy on the S3 bucket that only allows downloads from Cloudflare IP addresses. That means that if you browsed or tried to download the file directly from S3, you'd get an access denied error.
The only way I can think to bypass that is to make traffic come from Cloudflare. How can you do that? Easy - just duplicate my setup of files.garrysmods.org with a different domain and point it at my S3 bucket. That would make the traffic not show in my Cloudflare analytics but the traffic still comes from their IP addresses.
Somebody malicious could have figured out that setup from [url=https://facepunch.com/showthread.php?t=1456612&p=50454933&viewfull=1#post50454933]my previous post[/url].
[/QUOTE]
It's worth contacting CloudFlare and telling them the situation - this type of attack is an "Economic Denial of Sustainability" something they should be very interested in, especially if their service is being used to springboard it.
You should install some kind of burocratic system for uploading addons once you get it up and runnin again or the amount of addons someone can upload in a day.
This my friend is why we can't have nice things.
What about user Tiers like the ones that usually come with default forum hosting packs.
Unregistered Users = barely any bandwidth, no upload at all
Registered Users = Extremely limited upload and bandwidth.
Verified Users (link to steam account?) = Somewhat limited bandwidth & Upload
Content Creator (known map makers and LUA devs = Increased bandwidth and higher upload cap
[editline] wiehrb [/editline]
I know that'll be extra work to set up, but hopefully things work out with you and whatever Hezzy was setting up and this will let you spend a little extra on getting the site set up.
I'm not even into Garrysmod anymore but it was my life as a kid and I would spend hours downloading cool addons from Garrysmod.org on my shitty internet. I didn't even realise it was gone so it's nice to see someone trying to keep the spirit of the site going.
If you wanted to do a verification in steam account link. Steam accounts are free and easy to set up.
Next step is to have gmod on your library, puts a payment into a mix
[QUOTE=adamdburton;52781088]minus user data because fuck.[/QUOTE]
Wow I click the link from my Steam profile to check my maps' collection at the official Addons website of Garry's Mod (garrysmods.org) and I find this "fuck" word, how original.
[highlight](User was banned for this post ("Why Reply?" - Nookyava))[/highlight]
[QUOTE=Wickerman123;52783188][...]
Verified Users (link to steam account?) = Somewhat limited bandwidth & Upload
[...][/QUOTE]
You can also check if they own Gmod to enable this (or a slightly higher tier, since it'd still lock out family sharing users iinm).
That would mean account-hopping would cost a significant amount of money. Ideally about as much as the bandwidth they burn.
[editline]edit[/editline] I should have read on :suicide:
In any case, I think this requires the profile to be set at least to community-visible, since OAuth (rather than OpenID) API access is afaik very limited on Steam.
Here's what Cloudflare caches: [url]https://support.cloudflare.com/hc/en-us/articles/200172516-Which-file-extensions-does-CloudFlare-cache-for-static-content-[/url]
tl;dr: zip files are not cached (understandably so)
[QUOTE=_Undefined;52781830]I'll explain the technical stuff behind how the files are stored so it makes sense how this happened.
I'm hosting the site on a DO VPS. The files are transferred to and stored on S3. I'm using a subdomain of files.garrysmods.org for S3, which is going through Cloudflare (with caching enabled) to use less bandwidth on S3.
When a user downloads a file, I redirect them straight to the file on S3. The reason for that is Cloudflare will cache the majority of download requests their side, and my S3 receives less hits. Using Pre-Signed URLs for the downloads (which could be used prevent abuse) would bypass Cloudflare and hit S3 directly every time.
Here's the Cloudflare usage. You can see that the bandwidth on the 13th was nothing spectacular.
[img]https://i.imgur.com/D8bePqY.png[/img]
Here's the S3 usage.
[img]https://i.imgur.com/6W0CazZ.png[/img]
Here's where it gets interesting - I have a policy on the S3 bucket that only allows downloads from Cloudflare IP addresses. That means that if you browsed or tried to download the file directly from S3, you'd get an access denied error.
The only way I can think to bypass that is to make traffic come from Cloudflare. How can you do that? Easy - just duplicate my setup of files.garrysmods.org with a different domain and point it at my S3 bucket. That would make the traffic not show in my Cloudflare analytics but the traffic still comes from their IP addresses.
Somebody malicious could have figured out that setup from [url=https://facepunch.com/showthread.php?t=1456612&p=50454933&viewfull=1#post50454933]my previous post[/url].
The only real way to resolve this is to protect the S3 bucket completely and use Pre-Signed expiring requests for each download and limit what users can download per month. I'll implement that and get the site back up shortly.
In hindsight, the process is insecure, but at the same time, I built a platform for the community to use, share files and revive something that people wanted. I spent my own time and money on it and didn't really expect it to be abused.
Thank you, I'll shoot you a PM.[/QUOTE]
Why do you use S3 storage?!
These prices are ridiculous, they charge a lot for bandwidth, you could have an unmetered dedicated box for that, like around 15$ a month, just install LAMP and assign the files. subdomain for storage
[url]https://oneprovider.com/dedicated-servers/paris-france[/url] (Online.net reseller)
You can even get a cheaper OpenVZ storage VPS for lower than that
[url]https://www.time4vps.eu/storage-servers/[/url]
If you want cheap and reliable guidance in hosting matters you can ask here, or search, there is a lot of advice, I'm a fairly active user here [url]https://www.lowendtalk.com/[/url]
[highlight](User was permabanned for this post ("Joined to advertise" - Shendow))[/highlight]
[QUOTE=nitrocell;52786098]Why do you use S3 storage?!
These prices are ridiculous, they charge a lot for bandwidth, you could have an unmetered dedicated box for that, like around 15$ a month, just install LAMP and assign the files. subdomain for storage
[url]link[/url] (Online.net reseller)
You can even get a cheaper OpenVZ storage VPS for lower than that
[url]lonk[/url]
If you want cheap and reliable guidance in hosting matters you can ask here, or search, there is a lot of advice, I'm a fairly active user here [url]lunk[/url][/QUOTE]
:thinking:
[highlight](User was banned for this post ("Why reply?" - Shendow))[/highlight]
I've setup an unmetered VPS with nginx reverse proxying to S3 with Cloudflare in front too. No more crazy bills!
Thanks for the help guys.
Congratulations! I've never used your site but it looks great! :)
Good to see it's back up. :smile:
I appreciate the help!
Now that the site is back up... if anyone wants to help out with the bill a little, please browse the site and if anything is of interest (ads) to you, then please have a click (on the ads) and I'd be very grateful.
Thanks again (for the ads)!
[QUOTE=_Undefined;52787591]I've setup an unmetered VPS with nginx reverse proxying to S3 with Cloudflare in front too. No more crazy bills!
Thanks for the help guys.[/QUOTE]
How exactly are you doing this? There's no more caching in this solution than there is with CF -> S3. The VPS still has to pull from S3.
Sorry, you need to Log In to post a reply to this thread.
