Websocket protection


We are about to begin a new project and I’m taking the lead in development. I thought about using WebSockets, however, I’m unsure how well they are protected, most of the information I found is related to them being available or general limits on the usage.
Given https://support.cloudflare.com/hc/en-us/articles/200169466-Using-Cloudflare-with-WebSockets it seems like there is a limit on the active connections, but doesn’t mention anything in regards to the DDoS protection.
I guess that the default protection against TCP/UDP Attacks is there, however, application protection need some sort of tunning for all different projects, what are our options in the event of a proxied attack or just a botnet attack that targets our WebSockets? With HTTP we can deploy new firewall rules but it seems like that’s not an option for WebSockets, a rate limit would be ideal.


All the same protections apply for the initial connection, just not to anything within the websocket messages themselves - CF effectively becomes a regular transparent proxy within that websocket after it’s connected, and someone very well could push gigabytes of random stuff without CF’s software noticing.


And that is terrible, I saw some providers who allow us to tune a lot of parameters to prevent this.

This would be perfect but, it seems to be from an enterprise solution (competitor) so we can guess that the price is in the 4-5 figures which we can’t afford unfortunately.

@cloonan I hope that you don’t mind the ping, do you know if this is something that Cloudflare is looking to address? I understand that it might not be as common but it’s definitely that can be exploited terribly by the wrong people.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.