Anti-DoS WebSockets Best Practices

These days it's near impossible to thwart a traffic based DoS without some kind of hefty physical firewall in the network. However, if you're talking about other forms of DoS then there are a few things you can do to help.

  • Use asynchronous/non-blocking sockets. A malicious user could open up any number of connections to your sockets consuming all of your available threads. (Slowloris Vulnerability)

  • Control how many request-per-second a user can submit to ensure they aren't flooding your socket

  • Ensure the user cannot make the server perform anything too resource intensive


tl;dr:

"Yes, WebSocket is the first way to open an unlimited number of connections to a single server, so it indeed likely needs additional protection to prevent DOS attacks. But we don't really have a way to implement this correctly ..." (https://bugs.webkit.org/show_bug.cgi?id=32246#c4)

since i'm interested in that topic too, but dont have the time to read all the sources, i'll start this as a collection of (hopefully) useful links; comments to each link appreciated

  • WebSocket Security Analysis (PDF)
  • The Dangers of HTML5: WebSockets and Stable Standards (MSDN)
  • WebSocket Security (Heroku)
  • Websockets 101 (pocoo) (mostyl the lessons learned section)

update 1 (esp. Blackhat-Presentation)

  • Hacking with WebSockets / BlackHat 2012, esp. Sections: Denial of Service - Server / Deploy WebSockets Securely / Secure protocol for WebSockets

  • HTML5 WebSockets - security & new tool for attacking

  • HTML5 Web Sockets Changes the Scalability Game

Tags:

Websocket

Denial Of Service

Defense

Recent Posts