Is this an attack?

97 views
Skip to first unread message

Guanaco Devs

unread,
Jun 28, 2022, 11:46:10 AM6/28/22
to Google App Engine
While checking the logs of my GAE flask app, I noticed that from June 3rd through June 10th there was a spike on traffick, which is highly unusual for my website.
I checked the logs and found the reason for that were 3 IP addresses:

94.154.188.130:   1045 Times,
176.103.88.57:      678 Times,
176.103.85.167:    1392 Times,

I have posted the requests on a gist HERE for the last one with 1392 requests. ipqualityscore says that this is a proxy based from russia, actually the 3 ips in question are from the same data center, and Ip Quality score has it on a 99 Fraud Score while scamalitycs shows nothing wrong, maybe because is a VPN or something of the likes.

According to the logs the first request was at 2022-06-04T08:50:45 with the last on that time frame was on 2022-06-10T01:03:42, so it was not a DOS attack, times between request were as long as 46 minutes and as frequent as 1 second in between. 

What was that? Was my site being attacked? Or maybe just a someone playing a penetration tester?

There were 1273 unique endpoints as listed in the gist above, 98% of them returned a 404. As of today 27+ days, my site has 486 hours usage, during the time frame for this hits, was 214.
That raised my bill by US$0.95, is not much but since I do not have traffic on my site I usually pay nothing for it. Of course, if I had more traffic, I wouldn't have noticed this.
It was only for close to 6 days if it was to be more frequent is just raising the bill for nothing.

How can you protect against this?

Best Regards

Osvaldo Lopez Acuña

unread,
Jun 29, 2022, 10:55:10 AM6/29/22
to Google App Engine

You can fill out this form [1] to report suspected abuse on Google Cloud Platform.

Also, as a workaround, you can block abusive IP addresses as established here [2]: you can use the App Engine firewall to block traffic to your app from IP addresses that present malicious intent or shield your app from denial of service attacks and similar forms of abuse. You can add IP addresses or subnetworks to a denylist so that requests routed from those addresses and subnetworks are denied before they reach your App Engine app.

[1]:https://support.google.com/code/contact/cloud_platform_report 

[2]:https://cloud.google.com/appengine/docs/standard/java/application-security#app_engine_firewall
Reply all
Reply to author
Forward
0 new messages