Where or how to report abuse of Google IDs?

[SuSu PePe]

I have couple Android apps on PlayStore, which use In-App purchases. I use Google App Engine for my back end. Usually, the apps call the API very occassionally, but I see some users calling the APIs abnormally/ repeatedly (may be to reverse engineer or hack? using a script?). I can figure out the IP address, Gmail ID, etc. How to prevent these people from accessing my API?

One suggestion is to use dos.xml

But these morons seem to constantly change the IP addresses, so it is painful to keep updating this list.

• Is there a way in App Engine to black list users? or computers/devices?
• If we know the google(Gmail) Ids of these ba*t*r*s, how/where do we report those? This page seems to be the right place to start, but it is not clear where to send email.

Actually, I sent an email to ab...@gmail.com, but not sure if anyone takes any action.

• This page seems be more appropriate for vulnerabilities, but this is not such a case.
• "Viewing top users in the Administration Console" section in DoS page says I should see a table of IP addresses which are using the API frequently. But I don't see such table in Admin console. Do I need to be a paid (Google App Engine) user?

Any help is greatly appreciated. I can post the email addresses and IP addresses if it is helpful for others. These seem to originate from all over the world! (US, Brazil, Columbia, Israel, ...)

PS:
I posted couple of questions regarding the same on StackOverflow, but did not get any help.

http://stackoverflow.com/questions/23728621/blacklisting-on-google-app-engine-users-or-devices-and-not-just-ip-addresses

http://stackoverflow.com/questions/23732312/where-to-report-gmail-google-id-abuse

[Vinny P]

On Mon, May 19, 2014 at 7:34 PM, SuSu PePe <pskr...@gmail.com> wrote:

I have couple Android apps on PlayStore, which use In-App purchases. I use Google App Engine for my back end. Usually, the apps call the API very occassionally, but I see some users calling the APIs abnormally/ repeatedly (may be to reverse engineer or hack? using a script?). I can figure out the IP address, Gmail ID, etc. How to prevent these people from accessing my API?

One suggestion is to use dos.xml

Are you getting abuse from other App Engine applications or external hosts? If it's other applications, you can block by the header User-Agent information.

If it's from external hosts, yes the best option is to use the anti-DOS tool, but another good option is to sign up for Cloudflare and use their tools to block malicious requests: https://support.cloudflare.com/hc/en-us/articles/200171416-How-do-I-block-bots-and-crawlers- . And yes, using Gmail's abuse@ email is the correct way to report issues, but you can also try commenting on Gmail's product forum: https://productforums.google.com/forum/#!forum/gmail 

One last thing: have you tried reaching out to the abusive users you've identified and asking them if they're running into any issues? Perhaps these malicious-looking requests are an installation issue, or some other problem.

 

 

-----------------

-Vinny P

Technology & Media Advisor

Chicago, IL

App Engine Code Samples: http://www.learntogoogleit.com

 

[SuSu PePe]

It is from Android devices with a valid Google user login - since I am using Google Users API and OAuth for authentication. I don't understand how they are able to make (or use my app to make) those calls so frequently..

I don't think it is because they are running into issues. As I update my dos.xml, they change IP and retry.

Are you Google employee? I wonder since you are recommending cloudfire. Can't google disable these IDs (or block those IPs)? ( I can provide logs. Since I am using Google App Engine, Google can verify it themselves. if I give my project ID)

If Google App Engine platform blocks these people, it may help lot of other people using Google App Engine as their backend.

Thanks

[Vinny P]

On Tue, May 20, 2014 at 5:04 AM, SuSu PePe <pskr...@gmail.com> wrote:

It is from Android devices with a valid Google user login - since I am using Google Users API and OAuth for authentication. I don't understand how they are able to make (or use my app to make) those calls so frequently.

Are you Google employee? Can't google disable these IDs (or block those IPs)? ( I can provide logs. Since I am using Google App Engine, Google can verify it themselves. if I give my project ID)

I don't work for Google. I don't represent Google in any way, shape, or form.

I recommended Cloudflare because they have anti-DOS and ratelimiting tools available - many App Engine applications use Cloudflare already for those same benefits. You can read this forum's archive for more details.

In regards to Google disabling/blocking, you'd have to ask an actual Google employee what they can do. But I expect that this is more of a Google User accounts issue than an App Engine issue. As I said before, the proper venues for reporting are the ab...@gmail.com address or the Gmail product forum. You can also try filing a production App Engine ticket at https://code.google.com/p/googleappengine/issues/entry?template=Production%20issue . 

Lastly, you might want to try implementing rate limiting in your web app and starring this issue: Isse 6733 Rate Limiting For DOS attacks.

[SuSu PePe]

In regards to Google disabling/blocking, you'd have to ask an actual Google employee what they can do. But I expect that this is more of a Google User accounts issue than an App Engine issue. As I said before, the proper venues for reporting are the ab...@gmail.com address or the Gmail product forum. You can also try filing a production App Engine ticket at https://code.google.com/p/googleappengine/issues/entry?template=Production%20issue . 

Lastly, you might want to try implementing rate limiting in your web app and starring this issue: Isse 6733 Rate Limiting For DOS attacks.

 

Thank you very much for your kind help and pointers. Appreciate it.