The tale of avoiding a time-based DDOS attack in Node.js

This ad is not shown to multipass and full ticket holders
React Advanced
React Advanced 2026
October 23 - 26, 2026
London, UK & Online
Upcoming event
React Advanced 2026
React Advanced 2026
October 23 - 26, 2026. London, UK & Online
Bookmark
Rate this content
Sentry
Promoted
Code breaks, fix it faster

Crashes, slowdowns, regressions in prod. Seer by Sentry unifies traces, replays, errors, profiles to find root causes fast.

Get started

Web applications are commonly vulnerable to several Distributed Denial of Service attacks, sometimes in unexpected ways. An example is the SlowLoris attack, an exploit that leads to service interruption by simply sending the data to the server as slowest as possible.  In this talk I will tell the tale of how it took almost 13 years for Node to be completely protected by SlowLoris attack. I will also show that sometimes prioritizing performance can lead to incorrect fixes that can result in a false sense of protection.

This talk has been presented at Node Congress 2023, check out the latest edition of this JavaScript Conference.

FAQ

Nearform is a professional services company that operates fully remotely. They are always looking for new talents and have more than 300 employees. They also have a significant presence on NPM with 1 billion monthly downloads.

Orama is a company co-founded by a staff Dx engineer at Nearform. Its goal is to reinvent the text search industry using JavaScript and staying open source. They aim to support searching everywhere JavaScript can run.

Web applications are crucial for various purposes such as telemedicine, online banking, national security, social networks, and messaging. These applications need to be available at all times, as downtime can severely impact users, especially those relying on them for essential communication.

A Distributed Denial of Service (DDoS) attack is a type of cyber attack where multiple compromised systems are used to flood a targeted network resource with traffic, making it unavailable to its intended users.

A Slowloris attack is a type of DDoS attack that uses minimal bandwidth to make a server unavailable. It works by opening multiple connections to a server and sending incomplete requests, keeping these connections open and exhausting the server's resources.

Avoid overengineering solutions as it can harm performance. Also, never assume that a single layer of protection is sufficient; use multiple layers such as proper timeout handling and reverse proxies.

As of Node.js version 18.0.0, Node.js handles Slowloris attacks by periodically checking all sockets every 30 seconds and closing any that have expired. It maintains a list of connected sockets to make these checks effective.

Updating to Node.js version 18.0.0 or higher is recommended because it includes built-in protections against Slowloris attacks by default, such as periodic socket checks and safer timeout defaults.

To protect against a Slowloris attack, you should implement proper timeout handling. This includes setting timeouts for idle sockets and request headers. Using reverse proxies or API gateways like NGINX in front of your Node.js application can also help mitigate such attacks.

Best practices for server security include always thinking about security first, validating your code regularly, and using common sense. Ensure proper timeout handling, use reverse proxies, and keep your software updated to the latest versions with security patches.

Paolo Insogna
Paolo Insogna
29 min
14 Apr, 2023

Comments

Sign in or register to post your comment.
Video Summary and Transcription
The video discusses the persistent threat of DDoS attacks, specifically focusing on the Slowloris attack, which targets servers by keeping connections open and exhausting resources. The speaker emphasizes the importance of proper timeout handling in Node.js to defend against such attacks, highlighting that Node.js version 18.0.0 offers built-in protections like periodic socket checks. For those using older versions, enabling configurations like HTTP.server.timeout and HTTP.server.requestTimeout is advised. Additionally, utilizing a reverse proxy like NGINX can further mitigate these threats. The talk also covers the Zoloris attack, a variant that uses minimal bandwidth to disrupt servers. Node.js denial of service is a significant concern, and updating to the latest version is crucial for security. Understanding the role of ULIMIT in managing system resources and employing strategies like banning offending IPs temporarily are also discussed as part of effective server security measures.

1. Introduction and Background

Short description:

Sometimes your worst enemy is just slowness. At the end of the talk, you will be amazed at what happened. I am a staff Dx engineer at Nearform and co-founder and principal architect at Orama. Nearform is a professional services company fully remote. We are 300 and counting, fully remote, and unfortunately you cannot escape from us on NPM. Without Orama, we plan to reinvent the text search industry using JavaScript and staying open source.

I promise I will change this title because it's definitely too long but let's put to a short catchy sentence. Sometimes your worst enemy is just slowness. You now don't believe me but at the end of the talk you actually will believe me and you will be amazed on how this happened.

First of all let me slightly reintroduce myself. For people that ask me where do I come from? The little tiny dot there in the centre of South Italy and I can tell you that the rest of Italy does not acknowledge our existence. My region is completely forgotten. Don't ask me why but as I was also said I am a staff Dx engineer at Nearform and co-founder and principal architect at Orama. What are these companies? Nearform is a professional services company fully remote. We are always looking for new talents so if you're interested come say hi to me after this talk. We are 300 and counting, fully remote, and unfortunately you cannot escape from us on NPM. We are 1 billion monthly downloads on our packages, 8% so unfortunately you cannot escape. Without Orama, we plan just to do one simple thing. Search everywhere, wherever you can run JavaScript. We are trying to reinvent the text search industry, just using JavaScript and staying open source. Once again, if you're interested, come say hi to me later, to me or my co-founder Michele and Angela, we are outside.

2. DDoS Attacks and the Zoloris

Short description:

Nowadays web applications are crucial, serving important functions like telemedicine, online banking, and national security, as well as more trivial purposes like social networks and messaging. However, even these seemingly trivial applications are vital for certain individuals, such as the elderly who rely on messaging apps to communicate. The constant threat of DDoS attacks looms over all applications, as attackers always outnumber those defending. DDoS attacks involve overwhelming a network resource with malicious requests, and the distributed variant, where malicious traffic comes from multiple sources, is particularly challenging to combat. While it was once believed that DDoS attacks required a significant amount of resources, a new threat called Zoloris proves otherwise.

Let's get to the meat. Nowadays we are using more and more web applications and they are very important for all our usage. They can range from very important topics like, I don't know telemedicine, online banking, national security, or whatever, to what might be taken as trivial topics like social networks, messaging and so forth.

I say it might be called trivial because if you think about accessibility and inclusion, for some kind of people like elderly and so forth, WhatsApp might be the only way to talk to their nephew. So if you have WhatsApp down, you cut them off from very important part of their communication. So all these applications simply can never go down. That's not going to happen.

Which brings to another problem that we are always all vulnerable. No matter how smart you think you are, no matter how many people work for security in your company, remember that there's going to be 10 more people outside trying to waste your time and mess with your application and to bring them down. Unfortunately, they always outnumbering you.

This brings to one category of attacks which is usually well known. Please raise your hand if you know about DDoS attacks. And raise your hand if you know DDoS attacks, the dead variant. Okay pretty much the same people. So in short. So denial of service attack is kind of attack where a network resource is maliciously made unavailable to the intended user. Now the application is not breached by the attacker but is overwhelmed by requests. There is the distributed version which is the DDoS attack which is what I'm gonna focus from now on. Which is a variant where malicious traffic comes from several resources across the web. Which is much harder to fight for the reason that we will see in a bit. Now up to a few years ago it was a common understanding that in order to drive a DDoS attack, the attacker must use a lot of resources from several sources across the globe. Now please raise your hand if you think that this is still true and in order to run a DDoS attack you have to use a lot of resources. Okay, okay, that's kind of true and not and I will show you in a bit why that's the case. Because first of all let me introduce you your real enemy for today. This is the most horrific animal I ever seen in IT. This guy. This guy is terrifying. When I will tell you why you will say okay, this is amazing. So this is the Zoloris and basically is a very, very, very, very small, small and slow animal. By definition, it moves very slow.

QnA

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Top Content
The talk discusses the importance of supply chain security in the open source ecosystem, highlighting the risks of relying on open source code without proper code review. It explores the trend of supply chain attacks and the need for a new approach to detect and block malicious dependencies. The talk also introduces Socket, a tool that assesses the security of packages and provides automation and analysis to protect against malware and supply chain attacks. It emphasizes the need to prioritize security in software development and offers insights into potential solutions such as realms and Deno's command line flags.
ESM Loaders: Enhancing Module Loading in Node.js
JSNation 2023JSNation 2023
22 min
ESM Loaders: Enhancing Module Loading in Node.js
Top Content
ESM Loaders enhance module loading in Node.js by resolving URLs and reading files from the disk. Module loaders can override modules and change how they are found. Enhancing the loading phase involves loading directly from HTTP and loading TypeScript code without building it. The loader in the module URL handles URL resolution and uses fetch to fetch the source code. Loaders can be chained together to load from different sources, transform source code, and resolve URLs differently. The future of module loading enhancements is promising and simple to use.
The State of Node.js 2025
JSNation 2025JSNation 2025
30 min
The State of Node.js 2025
Top Content
The speaker covers a wide range of topics related to Node.js, including its resilience, popularity, and significance in the tech ecosystem. They discuss Node.js version support, organization activity, development updates, enhancements, and security updates. Node.js relies heavily on volunteers for governance and contribution. The speaker introduces an application server for Node.js enabling PHP integration. Insights are shared on Node.js downloads, infrastructure challenges, software maintenance, and the importance of update schedules for security.
Towards a Standard Library for JavaScript Runtimes
Node Congress 2022Node Congress 2022
34 min
Towards a Standard Library for JavaScript Runtimes
Top Content
There is a need for a standard library of APIs for JavaScript runtimes, as there are currently multiple ways to perform fundamental tasks like base64 encoding. JavaScript runtimes have historically lacked a standard library, causing friction and difficulty for developers. The idea of a small core has both benefits and drawbacks, with some runtimes abusing it to limit innovation. There is a misalignment between Node and web browsers in terms of functionality and API standards. The proposal is to involve browser developers in conversations about API standardization and to create a common standard library for JavaScript runtimes.
Out of the Box Node.js Diagnostics
Node Congress 2022Node Congress 2022
34 min
Out of the Box Node.js Diagnostics
This talk covers various techniques for getting diagnostics information out of Node.js, including debugging with environment variables, handling warnings and deprecations, tracing uncaught exceptions and process exit, using the v8 inspector and dev tools, and generating diagnostic reports. The speaker also mentions areas for improvement in Node.js diagnostics and provides resources for learning and contributing. Additionally, the responsibilities of the Technical Steering Committee in the TS community are discussed.
The State of Passwordless Auth on the Web
JSNation 2023JSNation 2023
30 min
The State of Passwordless Auth on the Web
Passwords are terrible and easily hacked, with most people not using password managers. The credential management API and autocomplete attribute can improve user experience and security. Two-factor authentication enhances security but regresses user experience. Passkeys offer a seamless and secure login experience, but browser support may be limited. Recommendations include detecting Passkey support and offering fallbacks to passwords and two-factor authentication.

Workshops on related topic

Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs
JSNation US 2024JSNation US 2024
148 min
Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs
Featured Workshop
Gregor Biswanger
Gregor Biswanger
In this hands-on workshop, you will be equipped with the tools to effectively test the security of web applications. This course is designed for beginners as well as those already familiar with web application security testing who wish to expand their knowledge. In a world where websites play an increasingly central role, ensuring the security of these technologies is crucial. Understanding the attacker's perspective and knowing the appropriate defense mechanisms have become essential skills for IT professionals.This workshop, led by the renowned trainer Gregor Biswanger, will guide you through the use of industry-standard pentesting tools such as Burp Suite, OWASP ZAP, and the professional pentesting framework Metasploit. You will learn how to identify and exploit common vulnerabilities in web applications. Through practical exercises and challenges, you will be able to put your theoretical knowledge into practice and expand it. In this course, you will acquire the fundamental skills necessary to protect your websites from attacks and enhance the security of your systems.
Building a RAG System in Node.js: Vector Databases, Embeddings & Chunking
Node Congress 2025Node Congress 2025
98 min
Building a RAG System in Node.js: Vector Databases, Embeddings & Chunking
Featured Workshop
Alex Korzhikov
Pavlik Kiselev
2 authors
Large Language Models (LLMs) are powerful, but they often lack real-time knowledge. Retrieval-Augmented Generation (RAG) bridges this gap by fetching relevant information from external sources before generating responses. In this workshop, we’ll explore how to build an efficient RAG pipeline in Node.js using RSS feeds as a data source. We’ll compare different vector databases (FAISS, pgvector, Elasticsearch), embedding methods, and testing strategies. We’ll also cover the crucial role of chunking—splitting and structuring data effectively for better retrieval performance.Prerequisites- Good understanding of JavaScript or TypeScript- Experience with Node.js and API development- Basic knowledge of databases and LLMs is helpful but not required
Agenda📢 Introduction to RAG💻 Demo - Example Application (RAG with RSS Feeds)📕 Vector Databases (FAISS, pgvector, Elasticsearch) & Embeddings🛠️ Chunking Strategies for Better Retrieval🔬 Testing & Evaluating RAG Pipelines (Precision, Recall, Performance)🏊‍♀️ Performance & Optimization Considerations🥟 Summary & Q&A
Build a MCP (Model Context Protocol) in Node.js
JSNation US 2025JSNation US 2025
97 min
Build a MCP (Model Context Protocol) in Node.js
Featured Workshop
Julián Duque
Julián Duque
Model Context Protocol (MCP) introduces a structured approach to LLM context management that addresses limitations in traditional prompting methods. In this workshop, you'll learn about the Model Context Protocol, its architecture, and how to build and use and MCP with Node.jsTable of Contents:What Is the Model Context Protocol?Types of MCPs (Stdio, SSE, HTTP Streaming)Understanding Tools, Resources, and PromptsBuilding an MCP with the Official TypeScript SDK in Node.jsDeploying the MCP to the Cloud (Heroku)Integrating the MCP with Your Favorite AI Tool (Claude Desktop, Cursor, Windsurf, VS Code Copilot)Security Considerations and Best Practices
Node.js Masterclass
Node Congress 2023Node Congress 2023
109 min
Node.js Masterclass
Top Content
Workshop
Matteo Collina
Matteo Collina
Have you ever struggled with designing and structuring your Node.js applications? Building applications that are well organised, testable and extendable is not always easy. It can often turn out to be a lot more complicated than you expect it to be. In this live event Matteo will show you how he builds Node.js applications from scratch. You’ll learn how he approaches application design, and the philosophies that he applies to create modular, maintainable and effective applications.

Level: intermediate
Build and Deploy a Backend With Fastify & Platformatic
JSNation 2023JSNation 2023
104 min
Build and Deploy a Backend With Fastify & Platformatic
Top Content
WorkshopFree
Matteo Collina
Matteo Collina
Platformatic allows you to rapidly develop GraphQL and REST APIs with minimal effort. The best part is that it also allows you to unleash the full potential of Node.js and Fastify whenever you need to. You can fully customise a Platformatic application by writing your own additional features and plugins. In the workshop, we’ll cover both our Open Source modules and our Cloud offering:- Platformatic OSS (open-source software) — Tools and libraries for rapidly building robust applications with Node.js (https://oss.platformatic.dev/).- Platformatic Cloud (currently in beta) — Our hosting platform that includes features such as preview apps, built-in metrics and integration with your Git flow (https://platformatic.dev/). 
In this workshop you'll learn how to develop APIs with Fastify and deploy them to the Platformatic Cloud.
Building a Hyper Fast Web Server with Deno
JSNation Live 2021JSNation Live 2021
156 min
Building a Hyper Fast Web Server with Deno
Top Content
Workshop
Matt Landers
Will Johnston
2 authors
Deno 1.9 introduced a new web server API that takes advantage of Hyper, a fast and correct HTTP implementation for Rust. Using this API instead of the std/http implementation increases performance and provides support for HTTP2. In this workshop, learn how to create a web server utilizing Hyper under the hood and boost the performance for your web apps.