What are the best practices for thwarting DoS attacks for a WebSocket server?
Is there a comprehensive site or document that can be referenced?
Asked
Active
Viewed 9,591 times
2 Answers
11
These days it's near impossible to thwart a traffic based DoS without some kind of hefty physical firewall in the network. However, if you're talking about other forms of DoS then there are a few things you can do to help.
Use asynchronous/non-blocking sockets. A malicious user could open up any number of connections to your sockets consuming all of your available threads. (Slowloris Vulnerability)
Control how many request-per-second a user can submit to ensure they aren't flooding your socket
Ensure the user cannot make the server perform anything too resource intensive
Ben Poulson
- 453
- 3
- 15
9
tl;dr:
"Yes, WebSocket is the first way to open an unlimited number of connections to a single server, so it indeed likely needs additional protection to prevent DOS attacks. But we don't really have a way to implement this correctly ..." (https://bugs.webkit.org/show_bug.cgi?id=32246#c4)
since i'm interested in that topic too, but dont have the time to read all the sources, i'll start this as a collection of (hopefully) useful links; comments to each link appreciated
- WebSocket Security Analysis (PDF)
- The Dangers of HTML5: WebSockets and Stable Standards (MSDN)
- WebSocket Security (Heroku)
- Websockets 101 (pocoo) (mostyl the lessons learned section)
update 1 (esp. Blackhat-Presentation)
Hacking with WebSockets / BlackHat 2012, esp. Sections: Denial of Service - Server / Deploy WebSockets Securely / Secure protocol for WebSockets
- HTML5 Web Sockets Changes the Scalability Game
that guy from over there
- 3,476
- 17
- 26