chunkloris: uvicorn (websockets impl)
on this page
part of the chunkloris per-chunk amplification survey. this page is the per-server record for uvicorn (websockets impl) under websocket text frames.
at a glance
- server: uvicorn (websockets impl)
uvicorn 0.32.1, websockets 13.1, starlette 0.41.3 - runtime: python-3.13
- ecosystem: python
- concurrency model: event-loop
- parser: websockets (pure-python frame decoder)
- delivery granularity:
per-frame - chunk-limit helper: none exposed by the framework
- verdict: per-frame β the parser/dispatcher boundary delivers one event per protocol frame (h2 / h3 DATA frame, or ws data frame). cpu cost under paced mode b is measurable per frame.
- scaling exponent (mode a): 1.00 (wall time vs N, log-log slope across common cells)
measurements
all cells run on a 1-vcpu docker container. cpu cost is derived from the target containerβs cgroup v2 cpu.stat usage_usec delta around each cell.
| mode | N | wall (s) | server cpu % | Β΅s / frame | basis | ok |
|---|---|---|---|---|---|---|
A-ws-bridge | 50,000 | 0.237 | β | 4.740 | wall | β |
A-ws-bridge | 100,000 | 0.466 | β | 4.660 | wall | β |
A-ws-bridge | 250,000 | 1.173 | β | 4.690 | wall | β |
B-ws-paced-100us | 50,000 | 5.229 | β | 4.580 | server-cpu-overhead | β |
B-ws-paced-100us | 100,000 | 10.616 | β | 6.160 | server-cpu-overhead | β |
B-ws-paced-100us | 250,000 | 26.252 | β | 5.010 | server-cpu-overhead | β |
what this means
the parser/dispatcher path on this server delivers one event per protocol frame (a websocket text frames DATA frame or ws frame), so an attacker who sends a request body as N one-byte frames consumes roughly N Γ (mode-b Β΅s/frame) of server cpu on a single core.
what to do today
- consider imposing a per-connection frame-rate cap before delivering frames to the application.
- the asgi spec does not provide a per-frame batching primitive at the application boundary; the closest workaround is to read from the receive channel and buffer at the application layer before doing per-message work.
reproducer
the full reproducer for this server is in the paper repo. the docker container pins uvicorn (websockets impl) uvicorn 0.32.1, websockets 13.1, starlette 0.41.3 and constrains the test container to a single cpu (--cpus=1). the prober script implements mode a (bridge-coalesced) and mode b (paced 100 Β΅s) per the methodology section.
see the draft pdf for the full per-framework discussion.