2

I'm trying to harden a java-websocket server against DoS attacks by limiting incoming message size.

I found this great Q&A on C sockets' receive buffers (which I presume is the way to limit size since I cannot find anything else). In it, it says that there are two types of sockets: datagram and streaming.

The answer says that datagram sockets simply cut off any excess bytes which is just fine for my purposes since an incomplete message is incorrect and will cause the sender to be blacklisted.

I'm now trying to determine if WebSockets are datagram or streaming. It seems like they're datagram since they use "frames", but I have no idea. Is that correct?

If they can be streaming, how can java-websocket, client & server, be configured to use datagram, if that's even appropriate? Is it possible to detect an excessively large message with datagram?

If streaming is more appropriate, how can excessively large messages be detected?

Community
  • 1
  • 1
  • packet size, receive buffer size & the resulting message (TCP) size are very different things. Also when you receive a message stream, just don't store it in memory until it blows up, you can discard data on the go. http://en.wikipedia.org/wiki/WebSocket – zapl Jan 30 '14 at 17:59
  • @zapl Thank you for looking zapi! I have no idea how to do that or get started. Could you post a code example? Thank you so very much in advance! –  Jan 30 '14 at 18:00
  • I don't have one. But you can basically just read a max of X bytes and then stop. http://stackoverflow.com/questions/15445504/copy-inputstream-abort-operation-if-size-exceeds-limit – zapl Jan 30 '14 at 18:02
  • @zapl Thank you much again zapi! Do you have any idea on how that can be applied to the java-websocket code? Thank you so very, very much again in advance! –  Jan 30 '14 at 18:05

1 Answers1

1

check this question, it looks like is not possible to use datagram with the current websocket spec.

Community
  • 1
  • 1
Leo
  • 1,829
  • 4
  • 27
  • 51
  • Thank you very much Leo! At least my problem's been narrowed. Now, if I could only figure out how to apply it to java-websocket... –  Jan 30 '14 at 18:25