The App Engine Denial of Service (DoS) protection service enables you to protect your application from running out of quota when subjected to denial of service attacks or similar forms of abuse. You can add IP addresses or subnets to a denylist, and requests routed from those addresses or subnets will be dropped before your application code is called. No resource allocations, billed or otherwise, are consumed for these requests.
By default, App Engine serves a generic error page to addresses on the denylist. You can configure your app to serve a custom response instead.
Before you begin
Create a dos.xml
file in the WEB-INF
directory of your
application. You will specify your denylisted IP addresses and networks in this
file.
Blocking requests with DoS denylists
You can add IP addresses and IP subnets to a denylist to block them from accessing your app.
The dos.xml
is limited to 100 entries, so blocking entire subnets
might be necessary if you are facing a DoS attack. This is also an efficient
way to protect yourself if you find that multiple IP addresses from the same
network are part of a DoS attack on your app.
Creating denylist entries for IP addresses
You can block one or more IP addresses from accessing your app by defining
those IPv4 or IPv6 addresses in your dos.xml
file. For example:
<?xml version="1.0" encoding="UTF-8"?>
<blacklistentries>
<blacklist>
<subnet>1.2.3.4</subnet>
<description>a single IP address</description>
</blacklist>
<blacklist>
<subnet>abcd::123:4567</subnet>
<description>an IPv6 address</description>
</blacklist>
</blacklistentries>
In a distributed denial of service (DDoS) attack, you will likely need to block entire subnets rather than by individual IP address.
For examples, see the dos.xml reference.
After creating your dos.xml
, you must upload it to your app.
Creating denylist entries for IP subnets
You can block an IP subnet from accessing your app by defining the IP subnet in CIDR format. You can use the IP to CIDR tool to help with creating rules that use CIDR notation.
<?xml version="1.0" encoding="UTF-8"?>
<blacklistentries>
<blacklist>
<subnet>abcd::123:4567/48</subnet>
<description>an IPv6 subnet</description>
</blacklist
<blacklist>
<subnet>abcd::123:4567/48</subnet>
<description>an IPv6 subnet</description>
</blacklist
</blacklistentries>
For examples, see the dos.xml reference.
After creating your dos.xml
, you must upload it to your app.
Creating custom error messages for denylisted requests
By default, a generic error page is served to requests that are blocked by the DoS protection service. Distributed denial of service attacks could involve an infected machine from a legitimate user and this page could provide an explanation for those users about why their access was denied.
Create a static file in your application directory for serving to requests that are blocked by the DoS protection service.
In your
appengine-web.xml
file, specify an error handler for DoS responses by providing the path to your static file and adding the<static-error-handlers>
type ofdos_api_denial
:<static-error-handlers> <handler error-code="dos_api_denial" file="dos-response.html" /> </static-error-handlers>
Deleting all denylist entries
To delete all denylist entries:
Edit the
dos.xml
file to just contain:<?xml version="1.0" encoding="UTF-8"?> <blacklistentries/>
Deleting the
dos.xml
does not remove the denylists.Redeploy your
dos.xml
for the changes to take effect.
Viewing DoS denial errors in the console
You can view a graph of the number of requests that are being denied:
Go to the App Engine dashboard in the Google Cloud Console:
Adjust the graph time frame as necessary to see the results.
Upload your DoS denylist
You can useappcfg.sh
to upload DoS configs. When you upload
your application to App Engine using appcfg.sh update
, the
DoS Protection Service is updated with the contents of the dos.xml
configuration file.
To update only the DoS configuration file without uploading the rest of your application, you use the following command:
appcfg.sh update_dos [PATH_TO_CONFIG_FILE]/dos.xml
What's next
- Set up Cloud Monitoring to quickly identify problems and alert you.
- Read a customer's experience on how they responded to a distributed denial of service (DDoS) attack (Jan, 2013).