[26794] in bugtraq
Re: [luca.ercoli@inwind.it: DoS against mysqld]
daemon@ATHENA.MIT.EDU (Rich Lafferty)
Fri Aug 23 15:01:33 2002
Date: Fri, 23 Aug 2002 13:07:08 -0400
From: Rich Lafferty <rich+bugtraq@lafferty.ca>
To: bugtraq@securityfocus.com
Message-ID: <20020823130708.C20664@lafferty.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020823161057.GB20205@pioppo.wired>; from pioppo@ferrara.linux.it on Fri, Aug 23, 2002 at 06:10:57PM +0200
On Fri, Aug 23, 2002 at 06:10:57PM +0200, Simone Piunno <pioppo@ferrara.linux.it> wrote:
>
> luca.ercoli@inwind.it wrote:
>
> > mysql> connect test 127.0.0.1
> > ERROR 1129: Host 'localhost.localdomain' is blocked because of many
> > connection errors. Unblock with 'mysqladmin flush-hosts'
>
> Sorry but this is not a DoS against mysqld,
> this is a DoS against yourself!
>
> Only connections coming from the offending IP address are blocked,
> and I can't see anything wrong in this.
Well, more than one user's (Web-based, perhaps?) application might
have to connect to mysqld on localhost. (Unix *is* multiuser, after
all.) You can use the misfeature to deny your fellow users access to
their databases, without having access to their databases yourself.
The unfortunate part of the original advisory is this:
> > If are create more than eleven bad connection (ex. Bad Handshake)
> > at port mysqld, the server, from this time, block all incoming
> > connections.
Misconfigured machines might not do what you want. Surprise!
You can and should set max_connect_errors to whatever is appropriate
for your site. Of course, at some point it becomes a DoS because you
can spawn too many MySQL processes, so you need to choose a value
which best protects against *both* potential DOS attacks (and
inadvertent ones from fail-respawn-fail cycles, etc.)
-Rich
--
Rich Lafferty --------------+-----------------------------------------------
Ottawa, Ontario, Canada | Save the Pacific Northwest Tree Octopus!
http://www.lafferty.ca/ | http://zapatopi.net/treeoctopus.html
rich@lafferty.ca -----------+-----------------------------------------------
