make GFE drop/abort/ignore http connection without reply & make GFE minimize response headers (reply size))
47 views
Skip to first unread message
Waltraud Siller
Jun 20, 2021, 6:29:23 AM6/20/21
to Google App Engine
Hi!
So my questions are:
1. how can I drop/ignore requests to my(!) app that I think come from bad actors and just drain my wallet. If there is no way, I really want to have a feature to tell GFE to just abort the connection (or an explanation why this is not possible).
I will use these abbreviations:
GFE: Google Frontend
APP: my app engine app (java11 with jetty embedded web server)
I try to make GFE drop an http request. I need this when I rate limit in my APP against bad actors (even if they are happen to be good, I choose service denial over wallet drain). Also, when my APP receives some request from a clearly bad actor I just want to ignore this request (I do not care about servlet specifications and such, I do not want to pay a horrible bill).
I tried plenty of things, making Jetty return different HTTP status codes or make Jetty drop the request. GFE still replies to all. The minimum reply is around 100 bytes since GFE adds 5 response headers... but I just encountered this reply from GFE when Jetty terminates the connection (700 bytes(!!!) and I pay for an unwanted reply, unwanted response headers, unwanted error message and 5 repeated comments(!!!!!) it is outrageouos!):
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
So my questions are:
1. how can I drop/ignore requests to my(!) app that I think come from bad actors and just drain my wallet. If there is no way, I really want to have a feature to tell GFE to just abort the connection (or an explanation why this is not possible).
2. how can I minimize the size of the reply? I.e. make GFE not add any response headers or at most the Date header. If If there is no way, I really want to have a feature to tell GFE since the http spec does not call any response headers a MUST (practically the Date header is but if bad actors can misuse the http protocol I want to be able to defend myself and minimize my costs).
My problems are rather of financial nature. I trust GFE to mitigate big DDoS attacks. But I see how GFE just lets plenty of request from curl(!) to bomb my APP and drain my resources/wallet. I really need methods to skip requests OR id GFE does not want it I SHOULD NOT pay for those I think come from bad actors.
Thanks!
ps: in the documentation of App Engine they say defending against Layer 7 attacks (http flood, wallet drain) is common(!) responsibility. I do my job and I find it OK that GFE lets plenty of requests reach my app, even if they are clearly not from a browser or so (testing). However, if GFE always sends a reply, where I pay a small amount through outgoing bandwidth, I cannot defend myself unless I can tell GFE to drop or minimize reply (size).
Roberto Carbajales (Google Cloud Platform Support)
Jun 22, 2021, 10:16:08 AM6/22/21
to Google App Engine
Hello,
After searching for a while I noticed that you already create some public issue tracer with feature request that are the same of the question that you have in this group, here [1] in this public issue tracker the engineering team is already aware of your request, we just need to wait for them and we could continue the discussion there.
Hopes this solve your answer.
Best regards.
-------
Waltraud Siller
Jun 22, 2021, 2:41:05 PM6/22/21
to Google App Engine
Hi!
Indeed, I created 3 issues:
issue-72 corresponds to my question 1 (and now cannot be seen, access is denied... I dont know why)
issue-73 is assigned, and issue-74 is related to 73 so they were merged
First I thought what I wanted must be possible but I guess it is not. Then I found the issue tracker and formulated these feature requests.
If anybody has a comment, please continue there to avoid duplicates.
Thanks for your reply!
Roberto Carbajales (Google Cloud Platform Support)
Jun 23, 2021, 5:56:37 AM6/23/21
to Google App Engine
hello again,
we the one that you don't have access in spectated since is internal of Google, and when is any update you will see it on the public issue tracker as well, and the groups will not be need it any more.
Best regards.
Reply all
Reply to author
Forward
0 new messages