How to prevent requests for nonexistent files to reach a public R2 bucket?

What is the name of the domain?

What is the error number?

none

What is the error message?

none

What is the issue you’re encountering

Requests for nonexistent files are billed as class B operations

What are the steps to reproduce the issue?

Manually request nonexistent files from browser and see the class B operations counter rise.

QUESTION
My question is whether there exists some method —beyond WAF rate limiting— to prevent requests for nonexistent files from reaching a public bucket, generate 404 responses from CF, and be billed as class B operations (I’ve verified they are counted as such).

I’m concerned about a denial of wallet attack that exploits this. Contrary to requests for existing files which are cached and thus do not hit R2, requests for random names would miss the cache and always hit R2. In large quantities, and from many different IPs, even with WAF rate limiting a public bucket could conceivably receive many million requests beyond the free tier.

The cost for the victim owner of the public bucket could be meaningful. What else would be an effective countermeasure in this case?

Thank you.

Hey there,

You can configure a Cache rule to Cache requests that return a 404 status code, so that future 404’s do not hit the R2 bucket and instead are served from the Cloudflare cache. If you want to have the 404’s cached for longer only for the requests going to an R2 bucket you could specify the R2 custom domain for the matching part of the rule. I would recommend you check out the following documents to help with the configuration of this rule.

Do note that if you do implement this rule, you would have to purge the cache if you end up uploading a file with a path/name that has been cached previously as a 404, as users would continue to see the 404 until the Cache Edge TTL expires.

Hello Micky,

Thank you for the suggestion. Caching 404s would help only in case an attacker keeps requesting the same nonexistent file. But in the case of requests for random object keys it would not be sufficient. Since every request would make for a different cache key, all malicious requests would bust the cache and hit the R2 bucket.

I’m thinking on using a WAF rule requiring HMAC validation for all requests aimed at the custom subdomain connected to my public bucket. This would block all requests without an HMAC hash issued by my origin. Thus, any malicious request for random nonexistent files would lack a valid HMAC hash, and would never hit the bucket.

This leads me to three questions about the is_timed_hmac_valid_v0() function. I see the TTL argument to the function is not optional. But can it be zero for no token expiration? Is there an upper limit to the TTL or can it be arbitrarily high? Does Cloudflare always require using SHA-256 on HMAC?

This topic was automatically closed after 15 days. New replies are no longer allowed.