We faced an DoS attack which simply was exploiting invalid requests like

query AAA ($a:a, $a:a, $a:a, $a:a, $a:a, $a:a, $a:a, $a:a, ..... 1000 elems..., $a:a, ) { a }
query AAB ($b:b, $a:a, $a:a, $a:a, $a:a, $a:a, $a:a, $a:a, ..... 1000 elems..., $a:a, ) { a }
query AAC ($c:c, $a:a, $a:a, $a:a, $a:a, $a:a, $a:a, $a:a, ..... 1000 elems..., $a:a, ) { a }

It it produces huge latency and blocks other concurrent queries (NodeJS loop is blocked by validating and/or errors generating) which is the most crucial point.

Graphql validate function has an option to configure maxErrors and aborts the validation if it hits the limit.

Before (unlimited, maxErrors: undefined)

After (maxErrors: 10)