Timeout is not an issue if the requests are minimal. And you can control what the user can request from your application.
The MAJOR concern is DOS. I have created a script that would request the main page of my app (which now it is a static page that says: home). I basically simulated 100 users requesting the static home page over and over again at the same time. In less than 3 minutes my application was down (over quota). I didn't even go through the trouble to have several hosts hit the servers. Everything was done from my laptop... It is TOO easy to take down a GAE application. I understand that the AppEngine is offered as a free, "as-is" service, but being at the mercy of any kid with a laptop and a DSL line is not really good for anybody. Thanks, Tony On Sep 12, 2:28 pm, scottxu <[EMAIL PROTECTED]> wrote: > I don't know the status of these issues. Timeout and DDOS are two > concerns for me. > > To prevent timeout, applications have to check timer very quickly > and break the request processing aggressively, which looks like > a DDOS :-). Even worse, it's difficult to guarrantee the loop between > timer-checking is less than timeout. Failing this, the request will > not be processed unless you modify the application. > > Hope I am wrong, or hope to see solutions for these issues will > come out soon. > > Scott > > On Sep 12, 11:10 am, Tony Smith <[EMAIL PROTECTED]> wrote: > > > Yes, it needs to be at a very low level. > > > In my infrastructure, when the system is detecting a DOS attack it > > creates a firewall rule on the offending IP address. This rule will > > expire in a few minutes. If the DOS continues after the few minutes > > then An hour long restriction is imposed. If after an hour the DOS is > > still active then a permanent restriction is created and an admin is > > notified. The admin then researched the attack and if it proves to be > > of malicious intent (not some misconfiguration on the software) then > > we take it up with the ISP. > > > Does Google have (currently or in plan) something similar that will > > help address the DOS issues? You go through all the trouble to launch > > an application and then they take it down through DOS... this would > > really look bad for a start-up website not to mention Google. Well, > > actually Google's GAE wouldn't be that affected because the users will > > assume that the application went over it's quota. The normal users > > would not know of the DOS attack. > > > Thanks, > > Tony > > > On Sep 12, 1:24 pm, uprise78 <[EMAIL PROTECTED]> wrote: > > > > Rich, correct me if I'm wrong but that code you sent will add a new > > > read and a new write to every page hit and on top of that if the > > > person is banned they will still be able to reach the webpage and > > > cause it to perform this same read/write. I think DDOS attach > > > protection needs to be done on a much lower level than that. > > > > On Sep 12, 10:21 am, Rick Thomas <[EMAIL PROTECTED]> wrote: > > > > > I noticed this code > > > > >http://code.google.com/p/pyib/source/browse/trunk/usercontrol.py-Hide > > > >quoted text - > > > - Show quoted text - --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---
