Re: DoS against mysqld

From: Ryan Fox (rfox@backwatcher.com)
Date: 08/23/02


From: Ryan Fox <rfox@backwatcher.com>
To: "luca.ercoli@inwind.it" <luca.ercoli@inwind.it>
Date: 23 Aug 2002 12:12:52 -0400

On Fri, 2002-08-23 at 06:19, luca.ercoli@inwind.it wrote:
> If are create more than eleven bad connection (ex. Bad Handshake)
> at port mysqld, the server, from this time, block all incoming
> connections.
>
> This is the error:
>
> mysql> connect test 127.0.0.1
> ERROR 1129: Host 'localhost.localdomain' is blocked because of many
> connection errors. Unblock with 'mysqladmin flush-hosts'

This is a good example of why people should contact vendors before
releasing exploits. (I'm assuming the author didn't contact MySQL AB,
because if he had, they would have told him why he was wrong.)

See the page:
http://www.mysql.com/doc/en/Blocked_host.html

This 'exploit' blocks only 1 hostname (not all incoming connections),
and that is the hostname that this 'attack' comes from. The number of
connection errors allowed before a host gets blocked can be set when the
server is started, using the max_connect_errors variable.

Ryan Fox
Backwatcher, Inc.
rfox@backwatcher.com



Relevant Pages

  • understanding chkrootkit: sshd section
    ... Rhosts Authentication disabled, originating port will not be trusted. ... Secure connection to %.100s on port %hu refused%.100s. ... Warning: Remote host refused compression. ... Received RSA challenge from server. ...
    (comp.os.linux.security)
  • understanding chkrootkit: sshd section
    ... Rhosts Authentication disabled, originating port will not be trusted. ... Secure connection to %.100s on port %hu refused%.100s. ... Warning: Remote host refused compression. ... Received RSA challenge from server. ...
    (comp.security.unix)
  • Re: Possible BUG: Multiple HTTPrequests send from one includetext statement
    ... different program or Word converter to get the file. ... > fetched from a server via a HTTPRequest. ... > Host: localhost:8290 ... > Connection: Keep-Alive ...
    (microsoft.public.word.mailmerge.fields)
  • Re: Kerberos error KDC_ERR_BADOPTION
    ... Ran the same test again using the IP instead of the host name and got this: ... Reusing existing connection \n ... Server: Microsoft-IIS/6.0\r\n ... I suggest you use webfetch to perform a test and trace the rawdata of http ...
    (microsoft.public.inetserver.iis.security)
  • Re: Befuddled by DNS
    ... >serving as the router using a ppoe connection to dls with a static public ip. ... You need a blank host record in your external DNS for the mydomain.net ... Do I understand correctly that you have a server, ...
    (microsoft.public.windows.server.dns)