How to prevent DDOS attacks on RSocket-WebSocket #1129
Description
The version of my project Spring Boot WebFlux + RSocket over WebSocket
- org.springframework.boot:spring-boot-starter-webflux:3.2.1
- org.springframework.boot:spring-boot-starter-rsocket:3.2.1
- io.rsocket:rsocket-core:1.1.3
WebSocket occupies a file descriptor (FD) after a successful HTTP upgrade, but if the client does not send any authentication messages (such as tokens, login frames, etc.) after connecting, the server will waste FD resources and be easily exploited by DDoS.
My idea:If the client fails to authenticate after timeout, actively close the connection and release FD
Postman sent a request to establish a connection and received a response from Connected. I did not complete the subsequent authentication operation, only established the connection
I found that the RSocket server will disconnect this connection after 60 seconds
To prevent DDOS attacks and excessive consumption of server file descriptor (FD) resources, I need to shorten the WebSocket connection initialization timeout so that the server can release file descriptor (FD) resources
I found that during the HTTP Upgrade phase, requests do not reach the @ConnectMapping method of the Spring-RSocket server
After establishing an HTTP Upgrade connection, I want to change the RSocket over WebSocket connection initialization timeout. How to configure RSocket connection initialization timeout. I don't know how to do it, that's my question?
In order for the server to fail quickly and release FD resources
GET /ws HTTP/1.1
Host: localhost:888
Connection: Upgrade
Upgrade: websocket
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Sec-WebSocket-Version: 13
spring:
rsocket:
server:
port: 888
transport: websocket