I don't know about DOS protection. Both timeout and DOS are well known issues. Which is more urgent may depend on the comparison with services from other companies.
The only unique issue of DOS on AppEngine is quotas. However, quotas will be soft limits you can cross, and they are individual configuration numbers which may be easily adjusted. Timeout is hard limit which means terminated. Also timeout may relate to whole AppEngine infrastructure and performance, and can not be adjusted easily. Guess Google already has some efforts going on. Just don't know their strategy and roadmap. So don't know how to prepare my plans on AppEngine accordingly. Scott On Sep 12, 8:06 pm, Tony Smith <[EMAIL PROTECTED]> wrote: > It's not about paying less attention. About the timeout you can do > something (split the requests etc.). > > About the Denial of Service attack you can't really do anything. If > somebody wants you out of the picture all they have to do is simulate > 100 users and in 10 minutes you're out. > > Are there any plans to block certain IPs from accessing an > application? > > Thanks, > Tony > > On Sep 12, 3:58 pm, scottxu <[EMAIL PROTECTED]> wrote: > > > > > Don't know why people pay less attention to timeout. To keep requests > > minimal, then much application logic has to be removed from AppEngine. > > Httpmr actually increases client-side logic, or you can say "move" > > logic > > complication from server to client. > > > AppEngine and httpmr are good at data-collection. However guess Google > > wants them to do more than data-collection. Applications based on > > large-scale > > data potentially could need complicated logic. More features, more > > logic. > > > For DOS, if people have deep knowledge of AppEngine, they may find > > some > > solutions. However, such solutions could be complicated and cause > > timeout. > > So, that's why I am concerned by timeout. > > > Scott > > > On Sep 12, 11:57 am, Tony Smith <[EMAIL PROTECTED]> wrote: > > > > Timeout is not an issue if the requests are minimal. And you can > > > control what the user can request from your application. > > > > The MAJOR concern is DOS. > > > I have created a script that would request the main page of my app > > > (which now it is a static page that says: home). > > > I basically simulated 100 users requesting the static home page over > > > and over again at the same time. In less than 3 minutes my application > > > was down (over quota). I didn't even go through the trouble to have > > > several hosts hit the servers. Everything was done from my laptop... > > > It is TOO easy to take down a GAE application. > > > > I understand that the AppEngine is offered as a free, "as-is" service, > > > but being at the mercy of any kid with a laptop and a DSL line is not > > > really good for anybody. > > > > Thanks, > > > Tony > > > > On Sep 12, 2:28 pm, scottxu <[EMAIL PROTECTED]> wrote: > > > > > I don't know the status of these issues. Timeout and DDOS are two > > > > concerns for me. > > > > > To prevent timeout, applications have to check timer very quickly > > > > and break the request processing aggressively, which looks like > > > > a DDOS :-). Even worse, it's difficult to guarrantee the loop between > > > > timer-checking is less than timeout. Failing this, the request will > > > > not be processed unless you modify the application. > > > > > Hope I am wrong, or hope to see solutions for these issues will > > > > come out soon. > > > > > Scott > > > > > On Sep 12, 11:10 am, Tony Smith <[EMAIL PROTECTED]> wrote: > > > > > > Yes, it needs to be at a very low level. > > > > > > In my infrastructure, when the system is detecting a DOS attack it > > > > > creates a firewall rule on the offending IP address. This rule will > > > > > expire in a few minutes. If the DOS continues after the few minutes > > > > > then An hour long restriction is imposed. If after an hour the DOS is > > > > > still active then a permanent restriction is created and an admin is > > > > > notified. The admin then researched the attack and if it proves to be > > > > > of malicious intent (not some misconfiguration on the software) then > > > > > we take it up with the ISP. > > > > > > Does Google have (currently or in plan) something similar that will > > > > > help address the DOS issues? You go through all the trouble to launch > > > > > an application and then they take it down through DOS... this would > > > > > really look bad for a start-up website not to mention Google. Well, > > > > > actually Google's GAE wouldn't be that affected because the users will > > > > > assume that the application went over it's quota. The normal users > > > > > would not know of the DOS attack. > > > > > > Thanks, > > > > > Tony > > > > > > On Sep 12, 1:24 pm, uprise78 <[EMAIL PROTECTED]> wrote: > > > > > > > Rich, correct me if I'm wrong but that code you sent will add a new > > > > > > read and a new write to every page hit and on top of that if the > > > > > > person is banned they will still be able to reach the webpage and > > > > > > cause it to perform this same read/write. I think DDOS attach > > > > > > protection needs to be done on a much lower level than that. > > > > > > > On Sep 12, 10:21 am, Rick Thomas <[EMAIL PROTECTED]> wrote: > > > > > > > > I noticed this code > > > > > > > >http://code.google.com/p/pyib/source/browse/trunk/usercontrol.py-Hide...- > > > > > > - Show quoted text -- Hide quoted text - > > > > - Show quoted text -- Hide quoted text - > > - Show quoted text - --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---
