[26787] in bugtraq
Re: DoS against mysqld
daemon@ATHENA.MIT.EDU (Ryan Fox)
Fri Aug 23 13:20:13 2002
From: Ryan Fox <rfox@backwatcher.com>
To: "luca.ercoli@inwind.it" <luca.ercoli@inwind.it>
In-Reply-To: <H1AKO7$38F86B57E0A762457F13C06DC4353915@libero.it>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Date: 23 Aug 2002 12:12:52 -0400
Message-Id: <1030119175.20478.13.camel@linux>
Mime-Version: 1.0
On Fri, 2002-08-23 at 06:19, luca.ercoli@inwind.it wrote:
> If are create more than eleven bad connection (ex. Bad Handshake)
> at port mysqld, the server, from this time, block all incoming
> connections.
>
> This is the error:
>
> mysql> connect test 127.0.0.1
> ERROR 1129: Host 'localhost.localdomain' is blocked because of many
> connection errors. Unblock with 'mysqladmin flush-hosts'
This is a good example of why people should contact vendors before
releasing exploits. (I'm assuming the author didn't contact MySQL AB,
because if he had, they would have told him why he was wrong.)
See the page:
http://www.mysql.com/doc/en/Blocked_host.html
This 'exploit' blocks only 1 hostname (not all incoming connections),
and that is the hostname that this 'attack' comes from. The number of
connection errors allowed before a host gets blocked can be set when the
server is started, using the max_connect_errors variable.
Ryan Fox
Backwatcher, Inc.
rfox@backwatcher.com
