Tuesday, April 15, 2014

Dealing with DoS and Fake emails on App Engine - Some Tips


After launching yet another app engine application recently, I was surprised to receive a message from my email exception handler about db inserts failing.

It turned out my (free) quotas were done for following some sort of DoS attack: some bots tried to use my app automatically, hitting the service multiple times per second for a good few hours. 

The app, which features things like email activation, was flooded with users registering with fake "temporary" emails. 

To deal with this, two things are advisable when you deploy an app that might be targeted to such abuse:

1. If you are using email activation, make sure to include a handler to filter out fake email providers. you can use this GitHub gist that I forked from here, and actually have added quite a few fake providers of my own (based on attacks on my app).

save that list into a file (say dos.email.txt) and write something like:
f = open('dos.emails.txt', 'r')
dosEmails = f.read().splitlines()
if (emailDomain in dosEmails):
...
...
...

2. Read the app engine DoS page thoroughly - it's short an concise. To sum things up: create a dos.yaml file with a blacklist of IP's. 

3. Be sure to frequently check the "most popular visitors" tab to observe IP's that seem to be "over enthusiastic" about your server. 

4. A good approach to responding to DoS and fake emailers is to try and let them think they are succeeding in the attack, avoiding giving them any clues that they are busted. So for example don't include some code that responds with "access denied, go shove that fake email up your...". But rather respond with "status: great success" or whatever, letting the attacker think he is on the right path. 

5. If you want to go the extra mile (sometimes it can be absolutely necessary), write some code to automate adding IP's to the DoS blacklist. 

6. Remember to do all of the above in such a way that you could use what you have done in other apps (this is probably relevant for every app engine app out there). 

No comments:

Post a Comment