• GlobeCoder
  • Posts
  • How you can dodge this $10,000 mistake

How you can dodge this $10,000 mistake

I almost made a wallet-draining mistake. Here's the hard-earned lesson and how you can sidestep the same costly pitfall.

Author

Rob Hallam
July 14, 2024

This week, I got a $10,000 wake-up call.

Let me tell you exactly what happened.

The $10,000 email

It was just another Wednesday morning.

Or so I thought.

I rolled over, grabbed my phone, and checked my inbox.

You know, the usual routine.

But then I saw it.

An email that made my stomach drop.

From Vercel, the company hosting my websites:

The email I received from Vercel at 8am.

1 million function invocations overnight?

What!?

And Vercel wanted to charge me for it.

My usual? About 1,000 a day.

Something was very wrong.

At first, I thought it was the “Leaderboard” feature I’d pushed to Pentest List the night before.

Maybe there was a bug?

That was until I checked my server logs.

The logs told a different story

I’d received a spike of traffic.

1.5 million requests between 4am and 8am.

A traffic spike well above normal usage. This wasn’t just a bug.

How could I be sure this wasn’t a bug?

Well, I could see where the requests were coming from.

Russia was the main culprit. But it could have easily been a VPN.

More than 600,000 requests from Russia.

The same from Germany.

And about 200,000 requests from the US.

Someone, or many someones, had attacked my server by sending an extreme number of requests.

Wow, I was lucky

There are countless stories of this happening to others.

Fortunately, it only cost me $0.60.

But how do I make sure it doesn’t happen again?

How you can avoid my mistake

You can’t stop someone from attacking you.

But, you can stop them from costing you $10,000s in additional server usage fees when they do.

1. Set spending limits

This is by far the most important thing you can do.

Set a spending limit! I set mine to a whopping $1.

Many hosting companies allow you to set spending limits or budgets.

If yours does, use it.

That way, if anything happens, the server will just stop responding.

After all, it’s better to wake up to a broken server than an enormous bill.

2. Rate limit your application

Rate limiting means limiting the number of requests your application will accept from one user.

Sure, more experienced attackers can find ways around this.

But it’ll stop the majority.

Check out this guide if you use Vercel.

Better to be safe than sorry

I hope you never get to experience this.

It’s not fun, trust me.

But in case you do - make sure you put these measures in place beforehand.

It’ll help you sleep a little better at night, I promise.

You’ve got this!

If you’re interested in building little internet startups and traveling the world, subscribe to my newsletter for a new edition every Saturday.

And start connecting with other likeminds on Indiedex. It’s free to claim your profile :)