Although this is a feature instead of a bug it still has an interesting consequence. If I figure out that an attempted connection can be made from the net and your database is backending a web application then with a little effort couldn't I spoof being your web server until the database blocks any connection from the web servers ip address thus DOSing your web application. Just a thought for anyone that thinks making the database directly accessible to the real world is a good idea. Bob T. Kat "We demand rigidly defined areas of doubt and uncertainty." - Douglas Adams - -----Original Message----- From: Ryan Fox [mailto:rfox@backwatcher.com] Sent: Friday, August 23, 2002 11:13 AM To: luca.ercoli@inwind.it Subject: Re: DoS against mysqld On Fri, 2002-08-23 at 06:19, luca.ercoli@inwind.it wrote: > If are create more than eleven bad connection (ex. Bad Handshake) > at port mysqld, the server, from this time, block all incoming > connections. > > This is the error: > > mysql> connect test 127.0.0.1 > ERROR 1129: Host 'localhost.localdomain' is blocked because of many > connection errors. Unblock with 'mysqladmin flush-hosts' This is a good example of why people should contact vendors before releasing exploits. (I'm assuming the author didn't contact MySQL AB, because if he had, they would have told him why he was wrong.) See the page: http://www.mysql.com/doc/en/Blocked_host.html This 'exploit' blocks only 1 hostname (not all incoming connections), and that is the hostname that this 'attack' comes from. The number of connection errors allowed before a host gets blocked can be set when the server is started, using the max_connect_errors variable. Ryan Fox Backwatcher, Inc. rfox@backwatcher.com
