How to protect against distributed denial-of-service attacks in Node.js with Socket.io?
Look into JS event throttling and debouncing!
Those techniques will help you prevent and detect attacks to a certain point (which is, in my opinion, enough for a small multiplayer socket game)...
EDIT:
In this jsfiddle: http://jsfiddle.net/y4tq9/9/
var sIO = {};
sIO.on = (function(){
var messages = {};
var speedLimit = 5; //5ms
return function(message, handler) {
messages[message] = messages[message] || {};
if(messages[message].timestamp && new Date().getTime() - messages[message].timestamp < speedLimit) return false;
else messages[message].timestamp = new Date().getTime();
handler();
return true;
//execute code, Ex:
}
}());
you can see that every request sent faster than 5ms will return false, otherwise the handler get run.
You simple disconnect the sockets who send request faster than 5ms (or 2ms, or 3ms depending on your network and your application's weight...).
You might as well using js event throttling on client site to make sure all of your requests doesn't send faster than the speed limit!
This technique will not provide absolute protection from exploiting, but it will prevent your server from crashing when attackers try to Dos...
The rate-limiter-flexible Node.js package can be used against DDoS attacks.
const { RateLimiterMemory } = require('rate-limiter-flexible');
const rateLimiter = new RateLimiterMemory({
points: 5, // 5 points
duration: 1 // per second
});
socket.on('bcast', data => {
rateLimiter.consume(uniqueSocketId) // consume 1 point per event
.then(() => {
socket.emit('news', { 'data': data });
socket.broadcast.emit('news', { 'data': data });
})
.catch(rejRes => {
// no available points to consume
// emit error or another workaround
});
});
Any event will be blocked, if it happens more than 5 times per second.
There is also the option for distributed applications using Redis.
And some flexible settings like insurance and block strategy makes rate-limiter-flexible
highly available and fast.
It's not always a good idea to do this in your http server. Check this answer: How to prevent DOS attacks on my http server which written in node.js?