The App Engine Denial of Service (DoS) Protection Service enables you to protect your application from running out of quota when subjected to denial of service attacks or similar forms of abuse. You can blacklist IP addresses or subnets, and requests routed from those addresses or subnets will be dropped before your application code is called. No resource allocations, billed or otherwise, are consumed for these requests.
Do not use this service for security. It is designed for quantitative abuse prevention, such as preventing DoS attacks, only. Some requests from blacklisted users may still get through to your application.
dos.yaml file in the
WEB-INF directory of your application configures DoS Protection Service blacklists for your application. The following is an example
blacklist: - subnet: 126.96.36.199 description: a single IP address - subnet: 188.8.131.52/24 description: an IPv4 subnet - subnet: abcd::123:4567 description: an IPv6 address - subnet: abcd::123:4567/48 description: an IPv6 subnet
The syntax of
dos.yaml is the YAML format. For more information about this syntax, see the YAML website.
dos.yaml file consists of a number of blacklist entries. A blacklist entry has a
subnet, and can optionally specify a
description. The description will be visible in the Cloud Platform Console. The
subnet is any valid IPv4 or IPv6 subnet in CIDR notation.
You may define a maximum of 100 blacklist entries in your configuration file. Uploading a configuration file with more than 100 entries will fail.
Uploading DoS configuration
You can use
AppCfg to upload DoS configs. When you upload your application to App Engine using
AppCfg update, the DoS Protection Service is updated with the contents of
dos.yaml. The new config will be viewable using the Cloud Platform Console straight away, but may take a few minutes to take effect. You can update just the DoS configuration without uploading the rest of the application using
To delete all blacklist entries, change the
dos.yaml file to just contain: