Bug #16225 Write logs for each new incoming TCP connection to ease attacks detections
Submitted: 5 Jan 2006 14:56 Modified: 5 Jan 2006 16:36
Reporter: Cyril Bouthors Email Updates:
Status: Open Impact on me:
None 
Category:MySQL Server: Logging Severity:S4 (Feature request)
Version:4.1 OS:Linux (Debian GNU/Linux)
Assigned to: CPU Architecture:Any

[5 Jan 2006 14:56] Cyril Bouthors 
Description:
Short: write a message to log-error for each new incoming TCP connection in order to ease attacks detections

Long:

We've recently suffered downtimes because our MySQL servers have been
attacked, someone has simply opened several thousands TCP connections
to the port 3306 of our servers and waited without authenticating.
The servers reached their max_connections within a couple of seconds                                                                                                                                                                            
and stopped accepting new connections.                                                                                            
                                                                                                                                                                                                                                                
We've blacklisted the IP address but the same thing keeps on happening                                                                                                                                                                          
again and again with different IP addresses. My company provides
public MySQL accesses so I can't deny such connections with my
firewall.

I'm not even sure that it's an aggressive attack, it might just be a
bug in a script of one of our clients that keeps on opening
connections in an endless loop in a certain condition is not met.

I would like MySQL to be able to write a new log message to log-error
for each new incoming TCP connection in order to easy attacks
detections.

FYI, the processlist output during the attack looked like:

+-----+----------------------+-----------------+----+---------+------+------------------+------------------+
| Id  | User                 | Host            | db | Command | Time | State            | Info             |
+-----+----------------------+-----------------+----+---------+------+------------------+------------------+
| 437 | unauthenticated user | localhost:42562 |    | Connect |      | Reading from net |                  |
| 438 | unauthenticated user | localhost:42563 |    | Connect |      | Reading from net |                  |
| 439 | unauthenticated user | localhost:42564 |    | Connect |      | Reading from net |                  |
| 440 | unauthenticated user | localhost:42565 |    | Connect |      | Reading from net |                  |
| 441 | unauthenticated user | localhost:42566 |    | Connect |      | Reading from net |                  |
| 442 | unauthenticated user | localhost:42567 |    | Connect |      | Reading from net |                  |
| 443 | unauthenticated user | localhost:42568 |    | Connect |      | Reading from net |                  |
| 444 | unauthenticated user | localhost:42569 |    | Connect |      | Reading from net |                  |
| 445 | unauthenticated user | localhost:42570 |    | Connect |      | Reading from net |                  |
| 446 | unauthenticated user | localhost:42571 |    | Connect |      | Reading from net |                  |
| 447 | unauthenticated user | localhost:42572 |    | Connect |      | Reading from net |                  |
| 448 | unauthenticated user | localhost:42573 |    | Connect |      | Reading from net |                  |
| 449 | unauthenticated user | localhost:42574 |    | Connect |      | Reading from net |                  |
(...)

How to repeat:
You can easily reproduce the attack with:

for a in `seq 1000`; do nc localhost mysql < /dev/null & done ; wait

Adapt the "seq" argument if your max_connections is bigger than 1000.

Suggested fix:
Write a message to log-error for each new incoming TCP connection in order to ease attacks detections.
[5 Jan 2006 16:36] Cyril Bouthors 
After a bit more thinking, I believe MySQL also lack the ability to write log message each time a connection timeout occurs before authentication.

For example "timeout 1 mysql -uX -pY -hZ" makes MySQL say
060105 19:34:22 [Warning] Aborted connection 7 to db: 'unconnected' user: 'root' host: `localhost' (Got an error reading communication packets)

whereas "timeout 1 telnet localhost mysql" does not make MySQL say anything in the error log.
[9 Jan 2006 14:26] Aleksey Kishkin 
thank you for feature request,

meanwhile, as a workaround, you can setup (say) xinetd as proxy (with log ability) between real mysql port, and port that visible for public
[15 Mar 2013 21:32] Chris Calender 
+1 from me to implement such logging - and it seems like a low-lying-fruit addition.  Any logging enhancements are always greatly received and appreciated by the community.

And while this is not a cause for attacks, but it could help alert users of them, so it is also a "security" fix/enhancement of sorts too.
[15 Mar 2013 21:37] Chris Calender 
Btw, does any one know if this is in a worklog entry or not, or scheduled ot be implemented any time in the near future?

Many thanks. :)