How to protect against distributed denial-of-service attacks in Node.js with Socket.io?

Problem

I have been learning node.js and socket.io lately. My question is how can I protect server against client side attacks?

This is my server code

io.sockets.on('connection', function (socket) { 
//users.push(socket);       
socket.on('message', function (data) {      

    socket.on('disconnect', function () { });           

    socket.on('bcast', function (data) {        
        socket.emit('news', { 'data': data });
        socket.broadcast.emit('news', { 'data': data });     
    });

    socket.on('login', function(data){
      socket.emit('login', {'data': [ socket.id, data ] });
    });
   });
 });

For example if a client uses chrome developer tools to do the flowing code

 for(var i = 0; i<99999999999; i++)
 {
        socket.emit('bcast', {data: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'});
 }

its going to kill the server.

Problem courtesy of: Virushan

Solution

Look into JS event throttling and debouncing!

Those techniques will help you prevent and detect attacks to a certain point (which is, in my opinion, enough for a small multiplayer socket game)... I would just disconnect that socket if they are attacking, lol!

If you are interested in a sample code, let me know

EDIT:

In this jsfiddle: http://jsfiddle.net/y4tq9/9/

var sIO = {};

sIO.on = (function(){
    var messages = {};
    var speedLimit = 5; //5ms
    return function(message, handler) {
        messages[message] = messages[message] || {};
        if(messages[message].timestamp && new Date().getTime() - messages[message].timestamp < speedLimit) return false;
        else messages[message].timestamp = new Date().getTime();

        handler();
        return true;
        //execute code, Ex:
    }
}());

you can see that every request sent faster than 5ms will return false, otherwise the handler get run.

You simple disconnect the sockets who send request faster than 5ms (or 2ms, or 3ms depending on your network and your application's weight...).

You might as well using js event throttling on client site to make sure all of your requests doesn't send faster than the speed limit! http://drupalmotion.com/article/debounce-and-throttle-visual-explanation.

This technique will not provide absolute protection from exploiting, but it will prevent your server from crashing when attackers try to Dos...

Solution courtesy of: Keo Strife

Discussion

Given that node is not the "best" at handling such DDoS Conditions within the framework itself I would look into third part DDoS Mitigation tactics such as cloudflare or blacklotus. They are costly offerings if you have a huge scale of use but they will protect Node or really any framework from denial of service attacks.

https://www.cloudflare.com

http://www.blacklotus.net/

Another option is using software based firewall solutions like aiProtect which are a bit more cost effective when scaling past the free tier of cloudflare and blacklotus.

http://aiscaler.com/home/protect

There are many more out there but this one happens to have an AWS partnership so you can easily spin up aiProtect VMs.

Discussion courtesy of: Matt617

It's not always a good idea to do this in your http server. Check this answer: How to prevent DOS attacks on my http server which written in node.js?

Discussion courtesy of: Luca Steeb

This recipe can be found in it's original form on Stack Over Flow.