Pedro Rodrigues

home github

The state of AppEngine DoS protection

The DoS Protection service from Google AppEngine allows the admin of each app to blacklist up to 100 ips or subnets and block requests from those users before they reach the app. The configuration is done with a file called dos.yaml that leaves in the root of the app.

This is pretty neat because if you have someone or something abusing your app you can add their ip or subnet to the file and forget about them.

The name of the service, DoS, stands for Denial of Service and has the Google Team put it “It is designed for quantitative abuse prevention … only.”

The way it works now you have to identify who’s attacking your app, add them to the dos.yaml file, update the blacklist and wait for the changes to reach the app.

Owners of an app being targeted by a DoS only find out about the attack when the app starts to fail or after a good chunk of resources have already been consumed.

In the apps dashboard the admins can see a list of the top 25 ips responsible for the most requests since the beginning of the current hour.

If an app is left overnight without supervision and an attack occurs it’s in the hands of the developers and admin to mitigate the abuse. Developers can implement methods of analyzing the requests and firing alarms that can prevent major abuse and gain some time to alert admins and have the blacklist updated.

The App Engine team does seem to keep a look at how the apps are doing and will put blocks in place if they notice anything out of the ordinary. How this works is a bit of a mystery has would be expected but it’s a fact that they won’t even contact the owners of the app about the blocks.

The DoS service seems to be pretty low-level and the rules are probably loaded for in each app instance at creation time. This makes it somewhat hard to play with the configuration and results in a text-based yaml file.

If a developer is given the task to implement a system that would take note of each users request and fire alarms and systems that prevent major abuse it would be really nice if these developers could also programmatically access the options of the DoS Protection service to add and remove rules.

The apps being able to protect themselves and able to adapt to the attacks would be a good addiction to the toolbox of GAE.

Read or