It's pretty simple to create your own dynamic rate limiting with Guice and Sitebricks. Using method interceptors, you could count the number of requests per IP address per servlet. Those counters can be stored in memcache and used to fail requests fast based on your own rules. Those can be completely application specific.
@Service
class Servlet {
@Get
@At("/your/servlet")
@IpRateLimited
public Reply<?> foo(Request request) {
return Reply.with("Hello World");
}
}
class IpBasedRateLimiter implements MethodInterceptor {
public Object invoke(final MethodInvocation invocation) throws Throwable {
// Inspect the request argument on the invoked method to get the IP address
if (isDenialOfServiceAttempt(invocation)) {
// Fail the request
return Reply.saying().error();
} else {
// Continue executing the original request
return invocation.proceed();
}
}
}
...
bindInterceptor(Matchers.any(), Matchers.annotatedWith(IpRateLimited.class),
new IpBasedRateLimiter());
...
You would still have to pay for the CPU time used to detect the DOS attempt. But as long as your algorithm is aggressive enough, those costs will be minimal e.g. one memcache get and checking a condition. This is what I would do until GAE provides their own dynamic DOS protection.