Limit number of connections per IP address - Security

[jondubois]

It would be great if there could be a way to limit the number of connections from a single IP address (maybe as a config option).

Right now it seems that if a sufficiently powerful (malicious) client machine opens a large number of connections on a sufficiently weak server, the server may slow down significantly (and pile up a bunch of useless sockets).

I understand that you could use the 'authorization' event on the server-side to authenticate and authorize connections but what if it's a public service (without any form of authentication being done). A mechanism which limits the number of connections that a single machine can have would give some extra protection against DoS attacks.... This could be a hard-limit whereby a client cannot open more than x concurrent connections (any additional ones will just be rejected with an error event on the client) - or it could be a soft limit with some sort of throttle mechanism which artificially limits the speed at which new connections can be opened for that particular IP address.

Firewalls may help resolve this issue, but it would be really nice to have this feature built into socket.io.

[jondubois]

I didn't realize that the handshakeData object in the 'authorization' handler allowed you to get the client's remoteAddress - This makes all the difference; it doesn't take much code to implement the connection limiting capability I talked about (It's probably better done outside the scope of socket.io).