Inspired by a recent topic in the forums, I spent some time poking at Meteor’s rate limiter.
I noticed that while method and subscription requests can be rate limited, WebSocket connection requests cannot. This means that a malicious user could potentially flood a server with WebSocket connections, effectively denying access for other users.
For more information, check out my recent blog post. The surefire fix for this issue is to move your application behind a proxy layer like nginx, which can be used to limit requests to your WebSocket endpoint.
Other potential fixes could possibly include adding a new type of rate limiter event,
"connection", and letting developers define their own connection rate limits. I haven’t done this, so I’m not sure how effective it would be.