Beware of resource exhaustion in WebSocket server

[nggit]

WebSocket is a persistent, two-way communication. Which means servers tend to run out of ephemeral ports for clients faster...
Because WebSocket is designed to have no timeouts on most servers!

Let's use Uvicorn as an example (you can use Hypercorn or something else that is designed that way).

It's easy enough to find out your server is affected (run each command/step in a different terminal window):

1. Run the server_ws:app

uvicorn --port 8080 --loop asyncio server_ws:app

2. Run the interactive WebSocket client

python -m websockets ws://localhost:8080/ws

3. Open many WebSocket connections until the server is full

python client_ws.py

4. Now the server can't accept new requests at all (it's okay, the real problem is in step 5)

curl -v http://localhost:8080

5. Go back to interactive WebSocket (step 2) and you will find that the old connection will never be dropped even if the server is at high load.
   This gives 0% chance on new requests.

Code

# server_ws.py
from fastapi import FastAPI, WebSocket

app = FastAPI()


@app.websocket('/ws')
async def websocket_endpoint(websocket: WebSocket):
    await websocket.accept()

    while True:
        message = await websocket.receive_text()
        await websocket.send_text(f'You said: {message}')

# client_ws.py
import asyncio

import websockets

WS_URI = 'ws://localhost:8080/ws'
connections = {}


async def handle_connection(ws):
    try:
        while True:
            pong_waiter = await ws.ping()
            await asyncio.sleep(2)
            await pong_waiter
    except (asyncio.CancelledError, Exception):
        pass
    finally:
        connections.pop(ws, None)
        await ws.close()


async def add_connections():
    while True:
        try:
            ws = await websockets.connect(WS_URI, open_timeout=10)
            connections[ws] = asyncio.create_task(handle_connection(ws))
            print(f'{len(connections)} connected')
        except TimeoutError:
            print('OK. Apparently the server is full!')
            return len(connections)


async def main():
    length = await add_connections()

    while True:
        if len(connections) < length:
            await add_connections()
        else:
            length = len(connections)

        await asyncio.sleep(1)


if __name__ == '__main__':
    asyncio.run(main())

Mitigation

Use proper authentication for WebSocket applications,
do not allow guest mode.

Tremolo got you covered

I understand that applying timeouts to WebSocket is against user experience.

Tremolo implements a kind of sliding window technique, where timeouts will not occur as long as the client does not move out of the window,
which only happens when the server is really busy.

This provides a balance between safety and user experience.