V
V
Vadim2019-08-29 18:31:01
DDoS Protection
Vadim, 2019-08-29 18:31:01

How to protect a Websocket based site from DDoS attacks?

There is a website that actively uses WebSockets to receive and send information to users (wss). Is there a way to protect the WebSocket server from too many messages coming from
1) the same IP
2) from different IP addresses
For example, by simply limiting the traffic - Mb's/sec. I think it is impossible to limit the number of messages, since the traffic goes through wss!?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
V
Vladimir, 2019-08-29
@Viji

If we strongly generalize ddos, there are two types -
1 attack on the channel you are simply clogged with traffic to the eyeballs of the network interface of your server and it cannot communicate with clients, this is not solved on the side of the server itself - only external solutions such as cloudflares.
2 attacks on the application and related software, flood the web server with slow connections until the limit is reached, look for heavy actions with the database on your site (search for example) so that later they load the database with a bunch of requests and the service starts to blunt, and so on. The main methods of struggle are to know the pattern of an ordinary user, and set the necessary limits a little higher than necessary for an ordinary user) in the firewall or front-end proxy (for example, haproxy)

I
Ivan Shumov, 2019-08-29
@inoise

1. IP blocking is the basic functionality of the firewall, but with DDOS it is useless to set it manually
2. DDOS is usually organized either using amplify traffic or a slowloris attack. There is also UDF flood. so websocket or whatever you have is not important. If you do not have the ability to scale horizontally to repel the first wave of harmful traffic, then nothing will help you, although there are solutions, I do not argue. If you have one server, then just forget about this problem - you will not have enough resources to deal with it
3. The message limit is called throttling and is implemented very simply, but it works after anti-ddos tools and has nothing to do with it.
4. you will not be able to limit the bandwidth for different clients, but in general, if you just lie down from your crooked hands

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question