WebSocket attack DoSes server, socket.close() does not work #24292
Labels
needs discussion
this topic needs further discussion to determine what action to take
needs investigation
requires further investigation before determining if it is an issue or not
web
related to Web APIs
Version: Deno 1.42.3
I've discovered a fun thing where you can go to just about any Deno server with a WebSocket endpoint, and run
cat /dev/urandom | websocat wss://some-deno.xyz/ws
and DoS the server instantly. It doesn't crash, just locks up because the CPU goes to 100%.So, for the past 5 days I've been pulling my hair out trying to get rate-limiting to work, hitting all kinds of walls with everything under the sun not having good enough support for websockets (Nginx, Hono, hono-rate-limiter)
And now I just discovered that calling
socket.close()
on the server does not actually sever the connection. 🤣 It just sends a "close" frame and hopes the other side respects it.Here's my minimal reproduction:
If you run
wscat -c ws://localhost:8000/
and hit Enter, it successfully closes, because wscat respects close frames.But just fire up websocat and you're in business.
cat /dev/urandom | websocat ws://localhost:8000/
absolutely destroys the server, and there is no way to stop it!This is not really a vulnerability, it's just the way WebSocket works. 🤦 You have to rate-limit it just like HTTP. But rate-limiting sockets seems impossible right now.
The text was updated successfully, but these errors were encountered: