RE: DoS against mysqld

From: Bob Castleberry (castlebb@cuinc.org)
Date: 08/23/02 

From: "Bob Castleberry" <castlebb@cuinc.org>
To: <bugtraq@securityfocus.com>
Date: Fri, 23 Aug 2002 12:01:18 -0500

Although this is a feature instead of a bug it still has an interesting
consequence. If I figure out that an attempted connection can be made
from the net and your database is backending a web application then with
a little effort couldn't I spoof being your web server until the
database blocks any connection from the web servers ip address thus
DOSing your web application. Just a thought for anyone that thinks
making the database directly accessible to the real world is a good
idea.

Bob T. Kat

"We demand rigidly defined areas of doubt and uncertainty."
  - Douglas Adams -

-----Original Message-----
From: Ryan Fox [mailto:rfox@backwatcher.com]
Sent: Friday, August 23, 2002 11:13 AM
To: luca.ercoli@inwind.it
Subject: Re: DoS against mysqld

On Fri, 2002-08-23 at 06:19, luca.ercoli@inwind.it wrote:
> If are create more than eleven bad connection (ex. Bad Handshake)
> at port mysqld, the server, from this time, block all incoming
> connections.
>
> This is the error:
>
> mysql> connect test 127.0.0.1
> ERROR 1129: Host 'localhost.localdomain' is blocked because of many
> connection errors. Unblock with 'mysqladmin flush-hosts'

This is a good example of why people should contact vendors before
releasing exploits. (I'm assuming the author didn't contact MySQL AB,
because if he had, they would have told him why he was wrong.)

See the page:
http://www.mysql.com/doc/en/Blocked_host.html

This 'exploit' blocks only 1 hostname (not all incoming connections),
and that is the hostname that this 'attack' comes from. The number of
connection errors allowed before a host gets blocked can be set when the
server is started, using the max_connect_errors variable.

Ryan Fox
Backwatcher, Inc.
rfox@backwatcher.com

Relevant Pages

  • Re: Transfer Excel file from a Web Server to Local Server
    ... Have your web administrator create an System DSN name in the ODBC control ... panel on the web server then try it using the name they create. ... I was trying to create a new database connection through Form Properties. ...
    (microsoft.public.frontpage.programming)
  • Re: Making a database connection global
    ... The web server is built to process several web pages simultaneously using mutliple threads. ... If you use only one connection in your application, that will become the bottle neck of the application. ... Whatever you do, it will always boil down to the fact that only one thread at a time can access the database, and all the other threads have to wait their turn. ... You could just as well neuter the web server by only allowing one single thread, as the other threads only will be waiting for the connection to get free. ...
    (microsoft.public.dotnet.framework.aspnet)
  • SqlConnection Pooling question
    ... My first assumption is that the connection pool ... is local to each web server. ... web servers for their particular database. ... If I always issue the changeDatabase() call could I set ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: When not to log
    ... >> never get any probes during the 5-20 minutes of collecting mail and news, ... Connection from unprivileged to my 80? ... Is it impossible for a compromised web server to pass client IPs ...
    (comp.os.linux.security)
  • Re: SqlConnection Pooling question
    ... My first assumption is that the connection pool ... > is local to each web server. ... > web servers for their particular database. ... > pool since the connection strings would then match. ...
    (microsoft.public.dotnet.framework.adonet)