How to block more than 100 dos attempt subnets in Google App Engine?

Question

There were a lot of dos attempts to my GAE app which I couldn't reduce/combine them into less than 100 subnets to fit in the restriction. Is there a way I can block more than 100 subnets?

If any chance Google App Engine team is reading this, I'd like to say I really love GAE but the way of blocking IPs now is inefficient. There should be features to help app owners block IPs dynamically, in terms of request rate or something smarter.

Answer 1

It's pretty simple to create your own dynamic rate limiting with Guice and Sitebricks. Using method interceptors, you could count the number of requests per IP address per servlet. Those counters can be stored in memcache and used to fail requests fast based on your own rules. Those can be completely application specific.

@Service
class Servlet {
    @Get
    @At("/your/servlet")
    @IpRateLimited
    public Reply<?> foo(Request request) {
        return Reply.with("Hello World");
    }
}

class IpBasedRateLimiter implements MethodInterceptor {
    public Object invoke(final MethodInvocation invocation) throws Throwable {
         // Inspect the request argument on the invoked method to get the IP address
         if (isDenialOfServiceAttempt(invocation)) {
             // Fail the request
             return Reply.saying().error();
         } else {
             // Continue executing the original request
             return invocation.proceed();
         }
    }
}

...
bindInterceptor(Matchers.any(), Matchers.annotatedWith(IpRateLimited.class), 
    new IpBasedRateLimiter());
...

You would still have to pay for the CPU time used to detect the DOS attempt. But as long as your algorithm is aggressive enough, those costs will be minimal e.g. one memcache get and checking a condition. This is what I would do until GAE provides their own dynamic DOS protection.