Re: [luca.ercoli@inwind.it: DoS against mysqld]

From: Rich Lafferty (rich+bugtraq@lafferty.ca)
Date: 08/23/02 

Date: Fri, 23 Aug 2002 13:07:08 -0400
From: Rich Lafferty <rich+bugtraq@lafferty.ca>
To: bugtraq@securityfocus.com

On Fri, Aug 23, 2002 at 06:10:57PM +0200, Simone Piunno <pioppo@ferrara.linux.it> wrote:
>
> luca.ercoli@inwind.it wrote:
>
> > mysql> connect test 127.0.0.1
> > ERROR 1129: Host 'localhost.localdomain' is blocked because of many
> > connection errors. Unblock with 'mysqladmin flush-hosts'
>
> Sorry but this is not a DoS against mysqld,
> this is a DoS against yourself!
>
> Only connections coming from the offending IP address are blocked,
> and I can't see anything wrong in this.

Well, more than one user's (Web-based, perhaps?) application might
have to connect to mysqld on localhost. (Unix *is* multiuser, after
all.) You can use the misfeature to deny your fellow users access to
their databases, without having access to their databases yourself.

The unfortunate part of the original advisory is this:

> > If are create more than eleven bad connection (ex. Bad Handshake)
> > at port mysqld, the server, from this time, block all incoming
> > connections.

Misconfigured machines might not do what you want. Surprise!

You can and should set max_connect_errors to whatever is appropriate
for your site. Of course, at some point it becomes a DoS because you
can spawn too many MySQL processes, so you need to choose a value
which best protects against *both* potential DOS attacks (and
inadvertent ones from fail-respawn-fail cycles, etc.)

  -Rich 

-- 
Rich Lafferty --------------+-----------------------------------------------
 Ottawa, Ontario, Canada    |  Save the Pacific Northwest Tree Octopus!
 http://www.lafferty.ca/    |    http://zapatopi.net/treeoctopus.html
rich@lafferty.ca -----------+-----------------------------------------------

Relevant Pages

  • Trying to connect to SQL2005 with JDBC from Tomcat 5.5
    ... I have just built a MSSQL 2005 server on my ... sample that came with MYSQL and everything works. ... all of your db connections. ... mm.mysql JDBC Driver will automatically reconnect if mysqld closed ...
    (microsoft.public.sqlserver.jdbcdriver)
  • [Full-disclosure] web server DoS
    ... this is not enough you can use dos to down their web site. ... Be aware that many web servers host multiple, ... dos will try to make and maintain as many connections as ... HTTP request sent, awaiting response... ...
    (Full-Disclosure)
  • Re: Kerberos DoS (Windows 2000)
    ... internally and found that we had an externally facing port 88. ... connections to the port to DoS it. ... The beauty of this list is I now have NASL scripts, Unix scripts and an ...
    (Pen-Test)
  • Re: Never even heard of being rooted! Is it something which can spread from computer to computer?
    ... DOS box has apparently stuck on "executing BKDR_PCCLIENT.WZ pattern. ... I can see the TrendMicro scan box scanning all local drives. ... WhatsRunning's IP CONNECTIONS tab shows 405 connections running and about ... them being a VoIP service I use called SJPhone. ...
    (alt.comp.anti-virus)
  • Three Windows XP UPNP DOS attacks
    ... Three Windows XP UPNP DOS attacks ... The first DOS is simply due to bad code. ... just strings and strings of 'A's. ... open approximately 200 connections and send the proper header followed ...
    (Bugtraq)