Not a new subject but I found no clear answer nad it would be nice to get answer from experts: I have problems with DDoS attack and quotas.
I considered to develop a google app accessed by many client applications, but I decided to give up because I think there is not enough protection against denial of service attack. I mean, I suppose Google is able to detect and protects google apps from massive dDOS attack but a sort of "soft" DDoS can't be detected and would consume all HTTP quotas of my app. Creating google accounts for application I could better control access, but my apps was intended to serve from 5000 up to 50000 clients or more without using google accounts. The only barrier to DOS attack I found seems to me to be weak: 100 entry of ip addresses blacklist that must be written manually are not enough. Am I wrong? there is something else I can do? Anyone can advice? Here it is something I liked to use if it would exist. Applications like the one I was about to write can easily detect an attack, it would be nice to have a google api to ask the infrastructure to lock an ip address for some hours. Another and safer implemenlentation approach could be to allow the google app to create "micro" google accounts. I mean that at present there is apis to programmatically create accounts, but each account\user costs 40 euros and this is too much for my application. Moreover I don't need of a real user with mail service and huge disk space, I just need a way to let google infrastructure log in a user for my app. Then I need functions to revoke user accounts programmatically as fast as I detect an attack. In this way when my app get some kind of violation it could immediately block the related user and the app won't be bugged any longer by it. In this scenario a dDos attack would be harder because it would need to use real accounts. Without real accounts the attack would be a problem only for the google infrastructure, that I DO HOPE is already prepeared to deal with (Am'I too optimistic?). In case of attack with real accounts I could lock them, and I exactly know in advance the maximun quotas I might spend under attack (that is the task of revoking all the issued users). It would be nice if such kind of user accounts would be treated as billable quotas comparable for pricing to http traffic or datastore space. I've understood that Amazon EC2 service doesn't offer anithing against dDos attack, but I think Google already has tools to offer barriers, maybe it would be of some help supplying functionalities like the listed above. Thank you for your attention Francesco Sana -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/lpQoxHAcx4gJ. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
