I am planning to share my personal files over a public r2 bucket, but I am afraid of the denial of the wallet attack.
Example: I post
r2.domain.com/example.pdf to the public place.
Somebody starts hitting
r2.domain.com/random-non-exist-files.html and he
overuse it my Class B Operations and I will get a huge bill.
I thinking about rate limiting by WAF, but in free tier only provides 10 s counting period, that not so help in this case.
You get 10,000,000 free class B operations per month, so if even if someone was persistent and hitting it 24/7 for a month, the rate limiting mechanism set to 10s would only allow 259,200 requests per month to get through (about 2.5% of your free amount).
Have you been anywhere remotely close to 10M class B operations in a single month so far? What do you consider a “huge bill”? Even if you doubled your free amount and went up to 20,000,000 total class B operations per month, you are talking about $3.60/month.
The best thing to do is use the same tools that Cloudlfare offers for your “normal” site and apply those to your public R2 bucket (rate limiting, blocking malicious users by user agent, IP blocks, countries, etc.)