Configuring DoS Protection Service for Python

The App Engine Denial of Service (DoS) protection service enables you to protect your application from running out of quota when subjected to denial of service attacks or similar forms of abuse. You can blacklist IP addresses or subnets, and requests routed from those addresses or subnets will be dropped before your application code is called. No resource allocations, billed or otherwise, are consumed for these requests.

By default, App Engine serves a generic error page to blacklisted addresses. You can configure your app to serve a custom response instead.

Before you begin

Create a dos.yaml file in the root directory of your application. You will specify your blacklisted IP addresses and networks in this file.

Blocking requests with DoS blacklists

You can blacklist IP addresses and IP subnets to block them from accessing your app.

The dos.yaml is limited to 100 entries, so blocking entire subnets might be necessary if you are facing a DoS attack. This is also an efficient way to protect yourself if you find that multiple IP addresses from the same network are part of a DoS attack on your app.

Creating blacklist entries for IP addresses

To blocked one or more IP addresses from accessing your app, you define those IP addresses in your dos.yaml file using the IPv4 or IPv6 formats. For example:

- subnet:
  description: A single IPv4 address
- subnet: abcd::123:4567
  description: A single IPv6 address

In a distributed denial of service (DDoS) attack, you will likely need to block entire subnets rather than by individual IP address.

For examples, see the dos.yaml reference.

After creating your dos.yaml, you must upload it to your app.

Creating blacklist entries for IP subnets

To blocked an IP subnet from accessing your app, you define that IP subnet using the CIDR format. To help you define your CIDR notation for ranges of IP addresses, you can use the IP to CIDR tool.

- subnet:
  description: an IPv4 subnet
- subnet: abcd::123:4567/48
  description: an IPv6 subnet
For examples, see the dos.yaml reference.

After creating your dos.yaml, you must upload it to your app.

Creating custom error messages for blacklisted requests

By default, a generic error page is served to requests that are blocked by the DoS protection service. Distributed denial of service attacks could involve an infected machine from a legitimate user and this page could provide an explanation for those users about why their access was denied.

  1. Create a static file in your application directory for serving to requests that are blocked by the DoS protection service.

  2. In your app.yaml file, specify an error handler for DoS responses by providing the path to your static file and adding the error_handlers type of dos_api_denial:

    - error_code: dos_api_denial
      file: dos-response.html

Deleting all blacklist entries

To delete all blacklist entries:

  1. Edit the dos.yaml file to just contain:


    Deleting the dos.yaml does not remove the blacklists.

  2. Redeploy your dos.yaml for the changes to take effect.

Viewing DoS denial errors in the console

You can view a graph of the number of requests that are being denied:

  1. Go to the App Engine dashboard in the Google Cloud Platform Console:

    Open the App Engine error details graph

  2. Adjust the graph time frame as necessary to see the results.

Upload your DOS blacklist

You use the gcloud tool to deploy the updated DoS configuration file to your app in App Engine. For example, you run the following command to update the DoS Protection Service with the contents of dos.yaml:

 gcloud app deploy dos.yaml

What's next

Send feedback about...

App Engine standard environment for Python