RE: DoS against mysqld

["Bob Castleberry" <castlebb () cuinc org>]

Although this is a feature instead of a bug it still has an interesting
consequence.  If I figure out that an attempted connection can be made
from the net and your database is backending a web application then with
a little effort couldn't I spoof being your web server until the
database blocks any connection from the web servers ip address thus
DOSing your web application. Just a thought for anyone that thinks
making the database directly accessible to the real world is a good
idea.  

Bob T. Kat

"We demand rigidly defined areas of doubt and uncertainty." 
  - Douglas Adams -

-----Original Message-----
From: Ryan Fox [mailto:rfox () backwatcher com] 
Sent: Friday, August 23, 2002 11:13 AM
To: luca.ercoli () inwind it
Subject: Re: DoS against mysqld

On Fri, 2002-08-23 at 06:19, luca.ercoli () inwind it wrote:
> If are create more than eleven bad connection (ex. Bad Handshake) 
> at port mysqld, the server, from this time, block all incoming
> connections.
>
> This is the error:
>
> mysql> connect test 127.0.0.1
> ERROR 1129: Host 'localhost.localdomain' is blocked because of many
> connection errors.  Unblock with 'mysqladmin flush-hosts'

This is a good example of why people should contact vendors before
releasing exploits. (I'm assuming the author didn't contact MySQL AB,
because if he had, they would have told him why he was wrong.)

See the page:
http://www.mysql.com/doc/en/Blocked_host.html

This 'exploit' blocks only 1 hostname (not all incoming connections),
and that is the hostname that this 'attack' comes from.  The number of
connection errors allowed before a host gets blocked can be set when the
server is started, using the max_connect_errors variable.

Ryan Fox
Backwatcher, Inc.
rfox () backwatcher com