Blacklisting on Google App Engine - users or devices (and not just IP addresses)

Question

I have couple Android apps on PlayStore, which use In-App purchases. I use Google App Engine for my backend. I see some users calling the APIs abnormally/repeatedly (may be to reverse engineer or hack?). I can figure out the IP address, Gmail ID, etc. How to prevent these people from accessing my API?

One suggestion is to use dos.xml

But these morons seem to constantly change the IP addresses, so it is painful to keep updating this list.

• Is there a way in App Engine to black list users? or computers/devices?
• If we know the google(Gmail) Ids of these ba*t*r*s, how/where do we report those? This page seems to be the right place to start, but it is not clear where to send email.
• This page seems be more appropriate for vulnerabilities, but this is not such a case.
• "Viewing top users in the Administration Console" section in DoS page says I should see a table of IP addresses which are using the API frequently. But I dont see such table in Admin console. Do I need to be a paid (Google App Engine) user?

Any help is greatly appreciated.

Answer 1

Yes, GAE allows for a blacklist, via dos.xml (dos.yaml for Python or PHP). If you don't want to have to keep updating the IP addresses, you may just have to check the user id, and serve them some message. But, that requires actually servicing the request, to check the id, etc. So, if it is a true DOS attack, it will succeed, as you have to still service the request. Using dos.xml cuts that off at the backend, so would be the best way to go.

I suggest a script to log the IP addresses in real time for those you want to ban, to make updating dos.xml less painful.