What is the best way to stop an attacker from triggering a Cloud Function repeatedly, causing a huge bill or causing the project to run into quota limits?

Some ideas:

• Use RTDB or Cloud Storage triggers as much as possible, since writes to those are protected by those products' security rules
• Put functions behind a service like Cloudflare
• Set up billing alerts, so a notification is sent if the monthly bill is unusually large

Check my answer here.

Short breakdown of items from my answer :

1. Limit the type of requests
2. Authenticate if you can
3. Check for origin
4. Use a load balancer in between
5. Use something like Cloudflare Page Rules

Hope it helps :)