Mongo Realm 3rd Party Services denial of wallet protection / mitigation / prevention

Hi Mongo

(recreated topic as more info and could not edit original)

I have been experimenting with Realm 3rd Party Services to create incoming webhooks, Based on the scalability I am particularly interested in preventing attacks on the endpoint and how to prevent an attacker requesting the endpoint over and over and causing a “denial of wallet” attack.

I expected that using the ‘Can Evaluate’ expression combined with a list of abusive IP’s would mitigage basic attacks by blocking the request from being procesed; however from testing this does not seem to be the case - I can prevent the funtion from running so reducing Data Transfer and Compute Runtime but I cannot prevent the request from being billed.

Can you answer the following:

1. Is there any way for me to completely deny a request to an endpoint and not be charged for the request?

2. Does Mongo have any recomended practices for mitigating endpoint attacks (for example you provide a json expression showing allow if in set of ip but this is useless if the request is still charged)?

3. What protection does Mongo provide at the Realm platform level to mitigate platform level / large scale ddos attacks on endpoints and how does this impact our billing if our endpoints are targeted?

4. What protection does Mongo provide at the Realm platform level to mitigate targetted ddos attacks
   on our endpoints and how does this impact our billing?

For example Firebase provide a platform level ddos protection that prevents billing of clients if there was a platform level ddos attack; however this is retrospective and would only apply in case 3, they provide support for case 2 but very little for case 1 which can result in unessecary billing for clients.

Thank you,

I have included case studies and test setup below.

Case studies:

Case 1: A basic attacker requesting an endpoint over and over again using a basic load testing tool running 50req/s which would be processed by Realm and result in an additional 4.3M requests per day:

    ( ( 50 req/s * 86400 s/day ) / 1000000 ) * 0.3 = $1.29 / day

In this case I could identify the attacker and prevent the function being run for them but I cannot completely deny the requests; this would result in a $40/month cost when normal load might only run < 5$

Case 2: A basic distributed attack could request an endpoint over and over again lets say a cluster of 100 bots requesting the endpoint at 50 req/s which would be processed by Realm and result in ~430M requests per day:

    ( (  100 bots * 50 req/s * 86400 s/day  ) / 1000000 ) * 0.3 = $129+/day

Here again the IPs could be identified but not completely denied and we would have to terminate the app to prevent a bill of $4000+ for the month.

Case 3: A sophisticated attacker could distribute the attack using multiple rotating bots and target all of the apps endpoints - assuming the app has 10 endpoints and using a sustained 200 bot attack:

    ( ( 10 endpoints * 200 bots * 50 req/s * 86400 s/day ) / 1000000 ) * 0.3 = $2592 /day

Test setup:

My testing setup using the UI for setup and leaving all defaults unless specified:

1. Create an Atlas cluster
   => AWS, Frankfurt (eu-central-1), 4.4, M0, Name = cluster
2. Create a Realm app connected to the cluster
   => Name = app, link to cluster, set global
3. Create a 3rd Party Service
   => 3rd Party Services => Add a Service => Type = http, Name = test
4. Add an incoming webhook to the service
   => Add Incoming Webhook => Name = test, HTTP Method = GET

Test 1 - Setup endpoint to return ‘Hello World’, expect request to be processed and request billed.
Outcome: Endpoint returns and 1 request is billed

% curl https://webhooks.mongodb-realm.com/api/client/v2.0/app/APP/service/test/incoming_webhook/test
    "Hello World!"

Test 2 - Set Can Evaluate to always false expect request to be denied
=> Edit Webhook => Can Evaluate = { “%%true”: false }
Outcome: Endpoint returns error but 1 request is still billed

% curl https://webhooks.mongodb-realm.com/api/client/v2.0/app/APP/service/test/incoming_webhook/test
    {"error":"incoming webhook evaluation blocked by CanEvaluate","link" ... }

I am actually interested in the answer to this question as well.

Just to clarify, this attack is only possible using a Webhook, which I would have to activate first? So, as long as I only use Realm Sync with Atlas, this does not need to concern me, right?

Now if i do use webhooks, I was expecting that any billable service would require some form of authentication or built in security. The webhook is intended to link to a third party service and the documentation describes authentication:

Is it really possible to get billed for webhooks without authentication or without some sort of security token?

Christian_Wagner, short answer - yes that is correct.

Longer answer - we need Mongo to comment and confirm but from my testing I beleive the following is the case:

• To be venerable you would need to create / enable a webhook - if you do not have any then there are no endpoints to exploit therefore no excessive requests can be made.

• When I ran my tests I left the defaults in place - my endpoint was using Authentication = System because I wanted the function to be able to access all data and the endpoint to be plubic then setup my own logic within the function; however I also want to block obviously abusing users for example by IP, ideally I was expecting the following:

guest => endpoint => function runs and responds with redacted data
user => endpoint => function runs and responds with full data
abusive ip => endpoint => denied by can evaluate / other mechanism, request is denied and function does not run

So far I can only get the function to not run, not the request to be denied, I have tried using both service rules and webhook can evaluate to deny the request.

I will run a quick test using an Authentication = Application Authentication and see if I get different results.

UPDATE: When setting Authentication = Application Authentication Realm returns a 400 for a straight request with no auth specified but the requests are still charged; therefore it appears that setting up any incoming webhook is a potential vector for abuse regardless of the authentication or can evaluate settings anyone sending a request to your endpoint regardless of if they are authenticated cause you to be billed for one request.

Hey @mba_cat - these are really good points. Some additional things to consider with rate-limiting/throttling Realm API requests -

1. At the moment Realm will rate limit requests/s if they exceed a certain threshold to prevent requests, and case 2 / case 3 are improbable due to that rate limiting.

More configuration around rate limiting can also be an added on with an API gateway or a proxy today, but configurable rate limiting in Realm sn’t out of the question. You can vote for the feature here - Configure rate limit – MongoDB Feedback Engine

2. Answered above, we do have set rate-limiting in place and will stop accepting requests after that.

3. (and 4) - We’re covered under AWS Shield Advanced which should help mitigate DDoS attacks and that we’re in the process of adding more network security features (IP Access List, PrivateLink).

Hello,

I understand your concerns regarding endpoint attacks and the impact on billing within the Realm platform. While I can provide some general information, please note that specific details about billing and protection mechanisms might require assistance from MongoDB support or documentation.

1. Denying Requests and Billing: As of my last update in September 2021, I don’t have real-time information on changes to Realm’s billing policies or protection mechanisms. However, based on your description, it seems that preventing a request from being processed doesn’t necessarily prevent it from being billed. To completely deny a request to an endpoint without incurring billing charges, you may need to explore further options or consult MongoDB’s support for the most up-to-date information.

2. Mitigating Endpoint Attacks: MongoDB might have recommended practices for mitigating endpoint attacks within the Realm platform. This could include rate limiting, IP blocking, or other security measures. To get specific guidance on these practices, I recommend reaching out to MongoDB support or referring to the official Realm documentation.

3. Protection Against DDoS Attacks: As for large-scale DDoS attacks on the platform level, MongoDB is likely to have measures in place to mitigate these attacks and ensure platform stability. However, the details of these measures and their impact on billing would be best addressed by MongoDB support.

4. Protection Against Targeted DDoS Attacks: Targeted DDoS attacks on specific endpoints might have varying impacts depending on the scale and nature of the attack. Again, MongoDB should have security measures in place to handle such scenarios, but for specific details on protection and billing impact, it’s best to consult MongoDB support.

As a general practice, when dealing with potential DDoS or endpoint attacks, rate limiting, IP filtering, and application-level security mechanisms can be effective in mitigating the impact. However, the specifics of implementing these measures within Realm and their interaction with billing would depend on the platform’s current capabilities and policies.

I recommend reaching out to MongoDB support or checking the official documentation and release notes for the most accurate and up-to-date information on billing, protection mechanisms, and best practices within the Realm platform. They will be able to provide detailed guidance and solutions tailored to your specific use case and environment.

Always ensure you have the latest versions of Realm and other MongoDB services to take advantage of the latest security features and improvements. Additionally, keep your software and services up-to-date to address any potential vulnerabilities that may be exploited in attacks.

Please note that my responses are based on information available up to September 2021, and I encourage you to verify and validate any details with MongoDB’s official resources for the most current information.