Websocket protection


We are about to begin a new project and I’m taking the lead in development. I thought about using WebSockets, however, I’m unsure how well they are protected, most of the information I found is related to them being available or general limits on the usage.
Given https://support.cloudflare.com/hc/en-us/articles/200169466-Using-Cloudflare-with-WebSockets it seems like there is a limit on the active connections, but doesn’t mention anything in regards to the DDoS protection.
I guess that the default protection against TCP/UDP Attacks is there, however, application protection need some sort of tunning for all different projects, what are our options in the event of a proxied attack or just a botnet attack that targets our WebSockets? With HTTP we can deploy new firewall rules but it seems like that’s not an option for WebSockets, a rate limit would be ideal.


All the same protections apply for the initial connection, just not to anything within the websocket messages themselves - CF effectively becomes a regular transparent proxy within that websocket after it’s connected, and someone very well could push gigabytes of random stuff without CF’s software noticing.


And that is terrible, I saw some providers who allow us to tune a lot of parameters to prevent this.

This would be perfect but, it seems to be from an enterprise solution (competitor) so we can guess that the price is in the 4-5 figures which we can’t afford unfortunately.

@cloonan I hope that you don’t mind the ping, do you know if this is something that Cloudflare is looking to address? I understand that it might not be as common but it’s definitely that can be exploited terribly by the wrong people.