All geek questions in one place

Google App Engine and dos.xml

I understand that the only way to really mitigate a DDoS attack is to automate the process of blacklisting IP addresses / ranges.

The Google App Engine (GAE) allows you to configure and download the dos.xml file and specify IP addresses / ranges in the blacklist at any given time.

Obviously, if my web application is under a well-organized DDoS attack, the IP addresses / ranges that will attack me will constantly change.

How often does GAE let me update dos.xml ? How long does it take for a change to take effect? I ask because I am developing an AutoBlacklister system that checks for IP addresses that she thinks are intruders and will dynamically update dos.xml . If there are more than 100 attackers (GAE limits you to 100 addresses / ranges), then only the top 100 “worst offenders” will be on the list.

But if dos.xml can only be updated at a certain frequency (for example, once a day, etc.), and if it takes too long (more than a few minutes!) To take effect, then this system is pretty much useless against real DDoS.

Furthermore, this question suggests that there is a way to automate loading dos.xml : is there? I would suggest that there is a secure URL that I could download a file with something like HttpClient , but with GAE you never know what conditions / limitations you will encounter! Thanks in advance!

+6
source share
2 answers

Blacklisting IP addresses are not 100% methods for preventing DDoS methods, such as:

A.) Botnet DDoS will use legitimate IP addresses (i.e. Trojan Botnet), in which case blocking IP addresses will also prevent access from legitimate users.

B.) It will do nothing against a DDoS attack on the network (i.e. SYN Flood) - an attack that uses fake IP addresses and does not even have to establish a full two-way connection for DDoS to work. (To stop this, you will need to have some kind of reverse front gate proxy to prevent access until a full 2-connection is established → ACK is received.)

For complete DDoS protection, you will need to have a sufficiently large “channel”, either investing in hardware (too expansive and, as a rule, not cost-effective), or in a front gate proxy server that will balance additional traffic allowing you to fully function ( e.g. Cloud proxy).

+1
source

You can update dos.xml through AppCfg . You can update this file without completely redistributing the server, which is an expensive process. As far as I know, there are no restrictions on how often this update can be performed.

Full deployment has a limit described here :

How many times the application has been downloaded by the developer. The current quota is 1000 per day.

+2
source

Source: https://habr.com/ru/post/921570/

More articles:


All Articles