0

So I have a Django backend deployed on Google App Engine. This backend supports an iOS app. In my server logs I can see all the requests coming in and where they were made. It used to be that I would only get requests from Joon/7.** (which is the iOS app name + version). However, recently I've been getting requests from Chrome 72 which doesn't make sense cause the app shouldn't be able to be used on Chrome. Furthermore these requests are creating a lot of errors in my backend because it is not sending an authentication token. Does anyone know what is going on here? Are my servers being hacked?

enter image description here

kbunarjo
  • 1,277
  • 2
  • 11
  • 27

2 Answers2

1

Looks like someone discovered the URL to your App Engine app. You can use Ingress controls to only allow access via Cloud Load Balancing and then Google Cloud Armor in front to protect that with rules that look like:

has(request.headers['user-agent']) && request.headers['user-agent'].contains('Godzilla')
Jeffrey Williams
  • 101
  • 7
1

It is quite common to see all sorts of hits (from what I call spam bots) to an App Engine App. Technically, GCP expects you to use Google Firewall rules to block these. The challenge though is that these bots usually change their IP Addresses frequently or use multiple ones. I don't have a 'perfect' solution.

a) You can try the method by @jeff-williams (I've never tried that)

b) You can also try GCP's firewall rules (I use this but I try to block a range of IPs instead of blocking them one by one)

c) Sometimes I also put my service behind a specific non-intuitive path. This way, the spam bots will only hit the default/base url and then I have a separate service which returns 404 for all calls to that base url

NoCommandLine
  • 5,044
  • 2
  • 4
  • 15