New pricing scheme and concerns about abuse

113 views
Skip to first unread message

Bay

unread,
Sep 11, 2011, 5:27:31 AM9/11/11
to google-a...@googlegroups.com
Say someone does not like a person behind one of the small/medium sized apps on app store (lets say 2-3 instances continously each day). For the sake of argument, say that it is me, but it could just as easily apply to any of you guys out there. 

What will stop a person of ill intend to make his own app engine app (or use any other similar service available on the web) and use this app to hit my small/medium sized app engine app with hundreds of asyncrone requests each second - forcing the number of instance of my application to skyhigh levels and thus - depending on budget settings - either 1) bill me hundreds of USD for a few hours, or 2) hitting the instance hour quota very, very quickly...

Such an "attack" could theoretically be made from another app engine app, possibly even under the free quota...

Under the old pricing scheme the latency would just go up (it happened a few times to me).

Possible solutions:
1) app engine team should provide an API for blacklist, so that I can programatically add IP's there
2) app engine team could make a setting to control "Max Number of Instances" [not just "max idle instances" - because they will not be idle]. A Max Number of Instances would of course make high latencies for all users on my app during an attack, but at least I wouldnt have to deal with hitting the quota levels => readjusting pricing => waiting for new ressources to be allocated => spending lots of time on damagecontrol + making the attacker happy...
3) any other ideas?

I am concerned. Please advise.

Daniel Florey

unread,
Sep 11, 2011, 8:00:48 AM9/11/11
to google-a...@googlegroups.com
Please star this issue.

Waleed Abdulla

unread,
Sep 11, 2011, 1:57:41 PM9/11/11
to google-a...@googlegroups.com
You're describing what's known as a denial of service attack. These attacks could happen to any Website on any platform. On GAE you're more protected, out of the box, than most other hosting solutions.

1. GAE automatically blocks IPs that it senses strange activity from. I've encountered this on two occasions when I tried to copy data from one of my other servers and hit my GAE app too fast. The block is removed automatically when activity goes back to normal.

2. You can block IPs from the dashboard. Look for the "blacklist" menu. It also shows the top IPs from which traffic comes. 

3. If you want to write your own code, you might find Brett's dos.py module useful. Brett wrote this for the PubSubHubbub project, but you can take it and use it in your project.



Waleed



--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/U_bUW2BUVj0J.
To post to this group, send email to google-a...@googlegroups.com.
To unsubscribe from this group, send email to google-appengi...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.

Bay

unread,
Sep 11, 2011, 2:52:17 PM9/11/11
to google-a...@googlegroups.com
I dont think you understand... The above specifically mentions - among other things - that 

1) there are no programatic apis to the blacklist 

2) the mechanisms to limit costs for a small app under a attack are much worse under the new billing system than under the old one...

hence:

- writing my own code as you suggest will therefore not prevent spawns of instances

- due to the billing of instances that we are unable to put a cap on GAE is less able to deal with the situation than - say - AWS EC2 or DotCloud

=> there is a real issue that needs to be dealt with, or any person with ill intend can take down any small GAE app very quickly (even using their own GAE app)

Please try to understand the details and the background of my concern - or GAE will very soon find itself a big-business-only platform.

Gerald Tan

unread,
Sep 11, 2011, 3:08:51 PM9/11/11
to google-a...@googlegroups.com
I believe you will be able to cap your daily total instance hours. If you use that and get DOSed, your app will continue to be responsive through the attack, but you may end up losing service when you reach your quota near the end of the billing day.

If you cap Active Instance (that's the orange line, since the blue line doesn't affect your billing) and get DOSed, your application will be unreachable during the attack, but will last to the end of the day.

So there's tradeoff for both methods of capping.


Bay

unread,
Sep 11, 2011, 3:19:54 PM9/11/11
to google-a...@googlegroups.com
"I believe you will be able to cap your daily total instance hours."

-- please tell me how to do this... currently there is only a setting to control max idle instances. During dos they will not be idle...

Gerald Tan

unread,
Sep 11, 2011, 3:26:41 PM9/11/11
to google-a...@googlegroups.com
Under Billing Settings.

Brandon Wirtz

unread,
Sep 11, 2011, 3:34:42 PM9/11/11
to google-a...@googlegroups.com

I serve “Denied” if IP matches X.  You don’t need Google For this.  I do the same thing if User Agent = X

 

This is a risk with any solution, from DreamHost to Amazon to RackSpace.   I can ruin your day regardless of platform.

--

Reply all
Reply to author
Forward
0 new messages