Connection control plugin can saturate the instance with hang connections

General

Escalation

General

Escalation

Description

The idea behind the Connection Control plugin is to introduce an increasing delay in server response to connection attempts after a configurable number of consecutive failed attempts. This capability provides a deterrent that slows down brute force attacks against MySQL user accounts.

However, delayed connections are counted as not yet handled connections:

"SHOW PROCESSLIST"

…
| 26626 | unauthenticated user | 10.42.2.95:40436  | NULL | Connect |    57 | Waiting in connection_control plugin | NULL             |    57813 |         0 |             0 |
| 26629 | unauthenticated user | 10.42.0.40:44444  | NULL | Connect |    57 | Waiting in connection_control plugin | NULL             |    57413 |         0 |             0 |
| 26630 | unauthenticated user | 10.42.3.170:43530 | NULL | Connect |    57 | Waiting in connection_control plugin | NULL             |    57412 |         0 |             0 |
…

which can saturate instance in case of any network hiccup and busy applications.

Environment

None

Linked issues

relates to

PS-8213

Too many connections with connection_control plugin and proxysql as client

Activity

Iwo Panowicz July 24, 2023 at 10:07 AM

Test case:

"Configuration"

connection-control=FORCE_PLUS_PERMANENT
connection-control-failed-login-attempts=FORCE_PLUS_PERMANENT
connection_control_failed_connections_threshold=1
connection_control_min_connection_delay=20000
connection_control_max_connection_delay=30000

The high values are only to present the issue.

After running:

for i in $(seq 1 100); do nc -q1 -w1 localhost 8032; done

the connections will start to stockpile, even if the client terminated them. Even if we the connection would remain on the client side it's easy to ddos the instance with that. Tarpitting in MySQL causes problem as max_connections is usually low enough that keeping that connections in a same state as normal connections is dangerous.

Details
Assignee
Oleksandr Kachan
Reporter
Iwo Panowicz
Upstream Bug URL
MySQL Bugs: Access denied
MySQL Bugs: Access denied
Needs QA
Yes
Priority
High

Smart Checklist

Created July 21, 2023 at 2:17 PM

Updated November 18, 2024 at 10:27 AM

Connection control plugin can saturate the instance with hang connections

Description

Environment

Linked issues

relates to

Activity

Iwo Panowicz July 24, 2023 at 10:07 AM

Details
Assignee
Oleksandr Kachan
Reporter
Iwo Panowicz
Upstream Bug URL
MySQL Bugs: Access denied
MySQL Bugs: Access denied
Needs QA
Yes
Priority
High

Details

Assignee

Reporter

Upstream Bug URL

Needs QA

Priority

Smart Checklist

Smart Checklist

Flag notifications

Something's gone wrong

Something's gone wrong

Connection control plugin can saturate the instance with hang connections

Description

Environment

Linked issues

relates to

Activity

Iwo Panowicz July 24, 2023 at 10:07 AM

DetailsAssigneeOleksandr KachanOleksandr KachanReporterIwo PanowiczIwo PanowiczUpstream Bug URLMySQL Bugs: Access deniedMySQL Bugs: Access deniedNeeds QAYesPriorityHigh

Details

Assignee

Reporter

Upstream Bug URL

Needs QA

Priority

Smart ChecklistOpen Smart Checklist

Smart Checklist

Flag notifications

Something's gone wrong

Something's gone wrong

Details
Assignee
Oleksandr Kachan
Reporter
Iwo Panowicz
Upstream Bug URL
MySQL Bugs: Access denied
MySQL Bugs: Access denied
Needs QA
Yes
Priority
High

Smart Checklist