Very interesting. Yes, I think rate limiting on both sides is necessary.
This is an excellent fuzzing method.
I tried running chorus and hitting it with this attack from a local process. For about 100,000 bytes (in 0.031 seconds) chorus handles and prints all the errors, generally being JSON parse errors. Then a bug is hit and I get a thread panic (chorus main thread continues, only that one connection is dropped)
Also chorus has mechanisms to drop connections and block IPs based on too many errors coming in, but for some reason these didn't work against this.
This is Sunday I wasn't going to do dev work today, but this is too interesting.