WebSocket attack DoSes server, socket.close() does not work

[alexgleason]

Version: Deno 1.42.3

I've discovered a fun thing where you can go to just about any Deno server with a WebSocket endpoint, and run cat /dev/urandom | websocat wss://some-deno.xyz/ws and DoS the server instantly. It doesn't crash, just locks up because the CPU goes to 100%.

So, for the past 5 days I've been pulling my hair out trying to get rate-limiting to work, hitting all kinds of walls with everything under the sun not having good enough support for websockets (Nginx, Hono, hono-rate-limiter)

And now I just discovered that calling socket.close() on the server does not actually sever the connection. 🤣 It just sends a "close" frame and hopes the other side respects it.

Here's my minimal reproduction:

import { Hono } from '@hono/hono';

const app = new Hono();

app.get('/', (c) => {
  const { socket, response } = Deno.upgradeWebSocket(c.req.raw);

  socket.onmessage = (_e) => {
    socket.close();
  };

  return response;
});

Deno.serve(app.fetch);

If you run wscat -c ws://localhost:8000/ and hit Enter, it successfully closes, because wscat respects close frames.

But just fire up websocat and you're in business. cat /dev/urandom | websocat ws://localhost:8000/ absolutely destroys the server, and there is no way to stop it!

This is not really a vulnerability, it's just the way WebSocket works. 🤦 You have to rate-limit it just like HTTP. But rate-limiting sockets seems impossible right now.

[alexgleason]

The problem is once you're in the onmessage callback there's no way to get out of it. You can throw, but it's in a callback so it kills the whole Deno process. There is simply no API to force close the connection from the server side and keep the process running. God have mercy on my soul.

EDIT: I have a suggestion about how to handle this subtly in the API. Just check the error code passed to close(). So that calling socket.close(1008) will force-close the connection. Then a Deno-specific API isn't needed.

EDIT 2: The socket is permanently in CLOSING state after calling "close()":

import { Hono } from '@hono/hono';

const app = new Hono();

app.get('/', (c) => {
  const { socket, response } = Deno.upgradeWebSocket(c.req.raw);

  socket.onmessage = (_e) => {
    socket.close(1008);
    console.log(socket.readyState);
  };

  return response;
});

Deno.serve(app.fetch);

Output:

2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2