I'm currently trying to find a solution to someone spamming my webpage via socket.io with a for loop containing millions of calls to emit an arbitrary event to my server. So far I've managed to identify those sockets which are spamming and prevent them from being processed further with middleware.

However, in the middleware, once a socket is flagged, I disconnect the socket via socket.disconnect(true), but that doesn't seem to stop the barrage of incoming messages. It seems the the socket.disconnect event only fires once all incoming events have been delt with. Anyone familiar with Socket.io, node.js, and express? I would need to be able to stop the barrage on my server witihin the io class.

does your server sit behind a firewall? if so block the offending ip address at your firewall.

if no firewall, then block the offending ip address at the operating system level (different for each OS so google it)

or in the webserver software, any webserver software worth anything should give you the ability to block ip addresses.

In short, dont let the offender connect in the first place.

if it is a small range of IP addresses then you can do the same.

If the offender is coming from lots of random IP addresses massively at the same time.....well what are you running that a botnet wants to DoS you anyway?

well what are you running that a botnet wants to DoS you anyway?

Hopefully none of these issues will be a problem. right now I'm exploring the weaknesses of my website. I've set up simulations of what could happen, I'm trying to bunk up my own site. I don't know why anyone would socket spam anybody, but then again, why are there shysters? beats me.

I'll have to look into I.P banning or something similar, along with firewall protections. I am hoping that there might be a simple solution in the API.

To fully close the inbound connection, get ahold of the underlying socket, and call close() on it. I forget exactly how that's done in socket.io, but I remember it being possible by walking some chain of objects.
However, someone who has enough bandwidth at their disposal will be able to flood your inbound network link, even if your application refuses a connection.
To solve that problem, you will need some kind of DDoS mitigation. A cheap-and-somewhat-useful solution is to host your site behind CloudFlare; more advanced providers include Akamai, Verisign, and Neustar. (It doesn't make sense to talk to them until you have a web site with tons of traffic, though.)

Oh, that'd be the dream if I needed something like CloudFlare, fingers crossed. I created a nested emit/on function accidentally between the server and client by calling an 'emit' function within the 'on' function for the same 'on' function. So my server and client we're just going crazy back and forth repeating themselves. It was then I realised this was a potential problem. I think what I'll do for the time being for a bit more security is rely on .post to the node server and then only expose the socket.io function once the user successfully registers, that way if someone is being a shyster I'll at least have more controls to deal with it.