Hi!
I will use these abbreviations:
GFE: Google Frontend
APP: my app engine app (java11 with jetty embedded web server)
I try to make GFE drop an http request. I need this when I rate limit in my APP against bad actors (even if they are happen to be good, I choose service denial over wallet drain). Also, when my APP receives some request from a clearly bad actor I just want to ignore this request (I do not care about servlet specifications and such, I do not want to pay a horrible bill).
I tried plenty of things, making Jetty return different HTTP status codes or make Jetty drop the request. GFE still replies to all. The minimum reply is around 100 bytes since GFE adds 5 response headers... but I just encountered this reply from GFE when Jetty terminates the connection (700 bytes(!!!) and I pay for an unwanted reply, unwanted response headers, unwanted error message and 5 repeated comments(!!!!!) it is outrageouos!):
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
So my questions are:
1.
how can I drop/ignore requests to my(!) app that I think come from bad actors and just drain my wallet. If there is no way, I really want to have
a feature to tell GFE to
just abort the connection (
or an explanation why this is not possible).
2. how can I minimize the size of the reply? I.e. make GFE not add any response headers or at most the Date header. If If there is no way, I really want to have a feature to tell GFE since the http spec does not call any response headers a MUST (practically the Date header is but if bad actors can misuse the http protocol I want to be able to defend myself and minimize my costs).
My problems are rather of financial nature. I trust GFE to mitigate big DDoS attacks. But I see how GFE just lets plenty of request from curl(!) to bomb my APP and drain my resources/wallet. I really need methods to skip requests OR id GFE does not want it I SHOULD NOT pay for those I think come from bad actors.
Thanks!
ps: in the documentation of App Engine they say defending against Layer 7 attacks (http flood, wallet drain) is common(!) responsibility. I do my job and I find it OK that GFE lets plenty of requests reach my app, even if they are clearly not from a browser or so (testing). However, if GFE always sends a reply, where I pay a small amount through outgoing bandwidth, I cannot defend myself unless I can tell GFE to drop or minimize reply (size).