DoS style attack on noVNC server can lead to service interruption or disruption
Currently, there is no limiting on the number of VNC sessions that can be created for a single user's VNC token which enables one to cause a DoS attack on noVNC browser proxy by requesting multiple server. This prevents subsequent access to VM's VNC console.
Affected Services / Software
Horizon (VNC Console through browser), Nova (NoVNC proxy), Grizzly
NoVNC Proxy is explained well here.
Once a user gets token to access a VM's VNC console, there is no restriction in the number of times the user can try connecting to the VNC console using the same token. If multiple connection requests are made, any subsequent request could timeout. This could impact users already connected to the VNC sessions, or other users trying to make new connection. This could also impact overall responsiveness of other nova services running in the novnc host.
Thus, a user could make the NoVNC proxy endpoint not responsive/ reachable, thereby resulting in a DoS attack. However, it is to be noted there is no amplification effect.
For current stable releases (Grizzly), users need to workaround this vulnerability by using rate-limiting proxies to cover access to NoVNC hosts. Rate-limiting is a common mechanism to prevent DoS/ Brute-Force attacks. You can find more discussion on rate-limiting around OpenStack Networking Best practices here.