I’m going to go way out on a limb here and say that this isn’t so much a Django issue as it is a Daphne / Twisted issue if you’re using that, or whatever websocket handler if you’re not.
In the Daphne case, there’s an option in the WebSocket protocol for setting the maximum frame and message payload sizes.
I’d be willing to make a guess that if you set that to a reasonable / expected value, it would prevent the type of attack you’re describing.