Bug #89155 Connection-control exhausts all max_connection resources
Submitted: 9 Jan 2018 3:50 Modified: 16 Jan 2018 9:10
Reporter: kfpanda kf Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server: Connection Handling Severity:S2 (Serious)
Version:5.7.17 OS:Any
Assigned to: MySQL Verification Team CPU Architecture:Any
Tags: Connection-control

[9 Jan 2018 3:50] kfpanda kf
Description:
The problem is that when the user uses an error passoword link MySQL more than connection_control_failed_connections_threshold times,MySQL will keep the user session for a while (The more successive failures, the longer the time) even if the user disconnects.
 In this way an attacker can use this problem to consume all of the max_connection resources. This can cause real users to be unable to connect their own mysql. 

How to repeat:
1. Configure the connection_control plugin in file my.cnf
plugin-load = "connection_control.so"

2.The connection_control plug-in uses the default configuration
mysql> show variables like 'connection%';
+-------------------------------------------------+------------+
| Variable_name                                   | Value      |
+-------------------------------------------------+------------+
| connection_control_failed_connections_threshold | 3          |
| connection_control_max_connection_delay         | 2147483647 |
| connection_control_min_connection_delay         | 1000       |
+-------------------------------------------------+------------+

3.Try to log in to the database with a false password in a new window, and execute Ctrl-C if there is a delay.

[root@panda MYSQL]# mysql -uroot -S/tmp/mysqld1.sock -p111
Warning: Using a password on the command line interface can be insecure.
^C
[root@panda MYSQL]# 
[root@panda MYSQL]# 
[root@panda MYSQL]# mysql -uroot -S/tmp/mysqld1.sock -p111
Warning: Using a password on the command line interface can be insecure.
^C
[root@panda MYSQL]# 
[root@panda MYSQL]# 
[root@panda MYSQL]# mysql -uroot -S/tmp/mysqld1.sock -p111
Warning: Using a password on the command line interface can be insecure.
^C
[root@panda MYSQL]# 
[root@panda MYSQL]# 
[root@panda MYSQL]# mysql -uroot -S/tmp/mysqld1.sock -p111
Warning: Using a password on the command line interface can be insecure.
^C
....

Repeated execution many times.

4.Execute show processlist. in the previous window

As you can see, even if all the clients disconnect, the MySQL instance holds the session. In this way, it is easy for an attacker to consume all the max_connection resources.

mysql> show processlist;
+----+------+-----------+------+---------+------+--------------------------------------+------------------+
| Id | User | Host      | db   | Command | Time | State                                | Info             |
+----+------+-----------+------+---------+------+--------------------------------------+------------------+
|  3 | root | localhost | NULL | Query   |    0 | init                                 | show processlist |
| 32 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 33 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 34 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 35 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 36 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 37 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 38 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 39 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 40 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 41 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 42 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 43 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 44 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 45 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 46 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |

Suggested fix:
When the client disconnects, the server should immediately destroy the session.
[16 Jan 2018 9:10] MySQL Verification Team
Hi,

Thanks for your report, we are already aware of this but the consensus is that this is not a bug. The rationale behind it is that 
one should not have connect control plugin on an WAN facing server that have grants open to %. The % host should never exist in production environment.

The reason why plugin keep the connection that long is to slow down the brute force attacks and we provide min/max delay configuration to configure per your dba wishes.

All in all, closing this as non-bug.

Thanks
Bogdan