Flooding and rate limiting socket connections?

NodeBB Development
  • I've seen that there is a file called ratelimit.js in which NodeBB limits the number of connections that can be simultaneously connected to the app. When this limit is crossed, it disconnects users from the socket connections.

    var allowedCalls = 100;
    var timeframe = 10000;
    if (socket.callsPerSecond > allowedCalls && socket.elapsedTime < timeframe) {
        winston.warn('Flooding detected! Calls : ' + socket.callsPerSecond + ', Duration : ' + socket.elapsedTime);
        return true;

    Why is this necessary? Is it not possible to connect as many users as our server can handle and scale using load balancers etc?.

    Why is this setting hard coded into the application?

    P.S. I'm using NodeBB v1.5.3.

  • 1.5.3? Why? That's very old at this point.

    Socket connections can be used to DDOS, which I assume is why that exists. Maybe it should be a configurable value.

  • That check is applied on a per user basis, it is there to prevent a single user from making thousands of calls, it doesn't limit concurrent users.

Suggested Topics