You're describing what's known as a denial of service attack. These attacks could happen to any Website on any platform. On GAE you're more protected, out of the box, than most other hosting solutions.
1. GAE automatically blocks IPs that it senses strange activity from. I've encountered this on two occasions when I tried to copy data from one of my other servers and hit my GAE app too fast. The block is removed automatically when activity goes back to normal. 2. You can block IPs from the dashboard. Look for the "blacklist" menu. It also shows the top IPs from which traffic comes. 3. If you want to write your own code, you might find Brett's dos.py module useful. Brett wrote this for the PubSubHubbub project, but you can take it and use it in your project. http://code.google.com/p/pubsubhubbub/source/browse/trunk/hub/dos.py Waleed On Sun, Sep 11, 2011 at 2:27 AM, Bay <troels...@gmail.com> wrote: > Say someone does not like a person behind one of the small/medium sized > apps on app store (lets say 2-3 instances continously each day). For the > sake of argument, say that it is me, but it could just as easily apply to > any of you guys out there. > > What will stop a person of ill intend to make his own app engine app (or > use any other similar service available on the web) and use this app *to > hit my small/medium sized app engine app with hundreds of asyncrone requests > each second - forcing the number of instance of my application to skyhigh > levels and thus - depending on budget settings - either 1) bill me hundreds > of USD for a few hours, or 2) hitting the instance hour quota very, very > quickly...* > > Such an "attack" could theoretically be made from another app engine app, > possibly even under the free quota... > > Under the old pricing scheme the latency would just go up (it happened a > few times to me). > > Possible solutions: > 1) app engine team should provide an API for blacklist, so that I can > programatically add IP's there > 2) app engine team could make a setting to control "Max Number of > Instances" [not just "max idle instances" - because they will not be idle]. > A Max Number of Instances would of course make high latencies for all users > on my app during an attack, but at least I wouldnt have to deal with hitting > the quota levels => readjusting pricing => waiting for new ressources to be > allocated => spending lots of time on damagecontrol + making the attacker > happy... > 3) any other ideas? > > I am concerned. Please advise. > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/google-appengine/-/U_bUW2BUVj0J. > To post to this group, send email to google-appengine@googlegroups.com. > To unsubscribe from this group, send email to > google-appengine+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
