Hello James, I'm going to agree with Barry here.
On Wednesday, April 24, 2013 10:09:52 AM UTC-5, James Gilliam wrote: > 1. The data is hardly meaningless. One app reporting an abusive ip > address has limited value, but what if 100 apps do, or 1000. > > But there is no metadata for why that IP is blocked. That IP could be malicious, or it could be a misconfigured system, scraper, etc. Just because you have reason to block that IP, or several other people do, doesn't mean that the IP isn't also sending out legitimate traffic. Also Google has its own anti-DOS systems, which seem to be perfectly capable of blocking bad traffic; if you search these forums you'll see a few instance of the anti-DOS system mistakenly blocking Cloudflare traffic. On Wednesday, April 24, 2013 10:09:52 AM UTC-5, James Gilliam wrote: > > 2. The report of a abusive ip addr is not in isolation ... they count the > number of requests also. The cases I speak about are when one ip address, > access the same url, as many as 15 times a second for hours at a time. > > The number of requests coming from an IP address can be misleading. For instance, MIT has a whole /8 to itself, which is far more than enough to give every computer on its network an IPv4 address (an /8 block is 16 million + IP addresses). I did my undergrad at U of Wisconsin @ Madison, and I know for a fact that there were labs with ~100 computers on them which shared a single IP. There are many companies and organizations that do the same. Do you really want to block such an organization just because some dumbass accidentally left his script running? The PR storm alone would be ugly. (as an aside, there were quite a few undergrads at UWM that weren't - to put it mildly - the sharpest tools in the shed. I could easily see them making such a mistake). Also, 15 times a second for hours is not very much. A HTTP client that doesn't support HTTP pipelining ( http://en.wikipedia.org/wiki/HTTP_pipelining ) can easily do far more than that, especially on a rich web page. Now multiply that by many different users.. RSS feeds for important news and financial services can have many clients hammering away at it. There's an RSS feed for Google Hot Trends: I wouldn't be surprised if it gets hundreds of hits a second. The TL;DR of it is, there's just no reason to take your dos.yaml list. Google has its own anti-DOS systems already. ----------------- -Vinny P Technology & Media Advisor Chicago, IL My Go side project: http://invalidmail.com/ -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/google-appengine?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
