Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Load spike protection for Django Channels

Tags:

Is there anything specific that can be done to help make a Django Channels server less susceptible to light or accidental DDoS attack or general load increase from websocket/HTTP clients? Since Channels is not truly asynchronous (still workers behind the scenes), I feel like it would be quite easy to take down a Channels-based website - even with fairly simple hardware. I'm currently building an application on Django Channels and will run some tests later to see how it holds up.

Is there some form of throttling built in to Daphne? Should I implement some application-level throttling? This would still be slow since a worker still handles the throttled request, but the request can be much faster. Is there anything else I can do to attempt to thwart these attacks?

One thought I had was to always ensure there are workers designated for specific channels - that way, if the websocket channel gets overloaded, HTTP will still respond.

Edit: I'm well aware that low-level DDoS protection is an ideal solution, and I understand how DDoS attacks work. What I'm looking for is a solution built in to channels that can help handle an increased load like that. Perhaps the ability for Daphne to scale up a channel and scale down another to compensate, or a throttling method that can reduce the weight per request after a certain point.

I'm looking for a daphne/channels specific answer - general answers about DDoS or general load handling are not what I'm looking for - there are lots of other questions on SO about that.

I could also control throttling based on who's logged in and who is not - a throttle for users who are not logged in could help.

Edit again: Please read the whole question! I am not looking for general DDoS mitigation advice or explanations of low-level approaches. I'm wondering if Daphne has support for something like:

  • Throttling
  • Dynamic worker assignment based on queue size
  • Middleware to provide priority to authenticated requests

Or something of that nature. I am also going to reach out to the Channels community directly on this as SO might not be the best place for this question.

like image 944
Jamie Counsell Avatar asked Jul 15 '17 21:07

Jamie Counsell


People also ask

How many connections can Django channels handle?

Websockets go into a server called Daphne (Daphne is a HTTP, HTTP2 and WebSocket protocol server for ASGI and ASGI-HTTP, developed to power Django Channels) can handle hundreds or potentially thousands of simultaneous connections open at once.

Is Django channels secure?

Django is a powerful Python framework for web development. It is fast, secure, and reliable.

How do channels work in Django?

With WebSockets (via Django Channels) managing the communication between the client and the server, whenever a user is authenticated, an event will be broadcasted to every other connected user. Each user's screen will change automatically, without them having to reload their browsers.


1 Answers

I've received an answer from Andrew Godwin. He doesn't use StackOverflow so I'm posting it here on his behalf.

Hi Jamie,

At the moment Channels has quite limited support for throttling - it pretty much consists of an adjustable channel size for incoming connections which, when full, will cause the server to return a 503 error. Workers are load-balanced based on availability due to the channels design, so there's no risk of a worker gaining a larger queue than others.

Providing more advanced DoS or DDoS protection is probably not something we can do within the scope of Channels itself, but I'd like to make sure we provide the appropriate hooks. Were there particular things you think we could implement that would help you write some of the things you need?

(It's also worth bearing in mind that right now we're changing the worker/consumer layout substantially as part of a major rewrite, which is going to mean different considerations when scaling, so I don't want to give too precise advice just yet)

Andrew

He's also written about the 2.0 migration in his blog.

like image 61
Jamie Counsell Avatar answered Oct 02 '22 02:10

Jamie Counsell