1

My application only needs socket.io to send data from the server to the client. To prevent Denial Of Service attacks, I want to disconnect the client if i tries to emit data. Is this possible?

I've looked at some stackoverflow questions:

force client disconnect from server with socket.io and nodejs

How to protect against distributed denial-of-service attacks in Node.js with Socket.io?

But I've not been able to find a working solution.

Community
  • 1
  • 1
Robin
  • 1,927
  • 3
  • 18
  • 27
  • How about [Server-sent events](http://stackoverflow.com/questions/5195452/websockets-vs-server-sent-events-eventsource) – laggingreflex Apr 04 '15 at 14:19
  • See this SO question: http://stackoverflow.com/questions/21057882/main-difference-between-bidirectional-sockets-and-directional-sockets – MvdD Apr 04 '15 at 17:30
  • Is SSE considered safe? Does it prevent Denial of Service? – Robin Apr 04 '15 at 19:12

2 Answers2

1

There is a option to cache all events (from here Socket.io Client: respond to all events with one handler?).

Then on any event you will just disconnect client on server side. 

var socket = io.connect();
var globalEvent = "*";
socket.$emit = function (name) {
    if(!this.$events) return false;
    for(var i=0;i<2;++i){
        if(i==0 && name==globalEvent) continue;
        var args = Array.prototype.slice.call(arguments, 1-i);
        var handler = this.$events[i==0?name:globalEvent];
        if(!handler) handler = [];
        if ('function' == typeof handler) handler.apply(this, args);
        else if (io.util.isArray(handler)) {
            var listeners = handler.slice();
            for (var i=0, l=listeners.length; i<l; i++)
                listeners[i].apply(this, args);
        } else return false;
    }
    return true;
};
socket.on(globalEvent,function(event){
    //Force disconnect
    socket.disconnect();
});
Community
  • 1
  • 1
galethil
  • 996
  • 8
  • 13
1

This probably isn't very helpful, but the best I've heard of doing is Comet streams. It's an older method, and a lot of people don't like it (myself included), but it's an option for one-way server to client updates.

Essentially, on the client side you have an iframe that connects to the server, and the server sends back a response in the form of a multipart response, occasionally sending back script tags with bits of stuff to execute. So, a trivial (and probably broken) example would be this:

<!--index.html-->
<html>
  <body>
    <iframe src="/comet/status"></iframe>
  </body>
</html>

And then the server code...

// server code (I like Node.JS)
app.get('/comet/status', function (req, res) {
  // A function that does a lot of work,
  //  and occasionally calls a callback with progress
  doWork(function (progress) {
    res.write('<script>console.log("Progress: " + progress);</script>');
  });
  res.end();
});

Like I said, this is a pretty incomplete example, but it's a way to accomplish what you're looking for, even if in an older way. Instead of console logging, you'd probably update an element that displays progress.

Sessamekesh
  • 420
  • 1
  • 6
  • 10