Description:
The problem is that when the user uses an error passoword link MySQL more than connection_control_failed_connections_threshold times,MySQL will keep the user session for a while (The more successive failures, the longer the time) even if the user disconnects.
 In this way an attacker can use this problem to consume all of the max_connection resources. This can cause real users to be unable to connect their own mysql. 

How to repeat:
1. Configure the connection_control plugin in file my.cnf
plugin-load = "connection_control.so"

2.The connection_control plug-in uses the default configuration
mysql> show variables like 'connection%';
+-------------------------------------------------+------------+
| Variable_name                                   | Value      |
+-------------------------------------------------+------------+
| connection_control_failed_connections_threshold | 3          |
| connection_control_max_connection_delay         | 2147483647 |
| connection_control_min_connection_delay         | 1000       |
+-------------------------------------------------+------------+

3.Try to log in to the database with a false password in a new window, and execute Ctrl-C if there is a delay.

[root@panda MYSQL]# mysql -uroot -S/tmp/mysqld1.sock -p111
Warning: Using a password on the command line interface can be insecure.
^C
[root@panda MYSQL]# 
[root@panda MYSQL]# 
[root@panda MYSQL]# mysql -uroot -S/tmp/mysqld1.sock -p111
Warning: Using a password on the command line interface can be insecure.
^C
[root@panda MYSQL]# 
[root@panda MYSQL]# 
[root@panda MYSQL]# mysql -uroot -S/tmp/mysqld1.sock -p111
Warning: Using a password on the command line interface can be insecure.
^C
[root@panda MYSQL]# 
[root@panda MYSQL]# 
[root@panda MYSQL]# mysql -uroot -S/tmp/mysqld1.sock -p111
Warning: Using a password on the command line interface can be insecure.
^C
....

Repeated execution many times.

4.Execute show processlist. in the previous window

As you can see, even if all the clients disconnect, the MySQL instance holds the session. In this way, it is easy for an attacker to consume all the max_connection resources.

mysql> show processlist;
+----+------+-----------+------+---------+------+--------------------------------------+------------------+
| Id | User | Host      | db   | Command | Time | State                                | Info             |
+----+------+-----------+------+---------+------+--------------------------------------+------------------+
|  3 | root | localhost | NULL | Query   |    0 | init                                 | show processlist |
| 32 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 33 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 34 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 35 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 36 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 37 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 38 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 39 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 40 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 41 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 42 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 43 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 44 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 45 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 46 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |

Suggested fix:
When the client disconnects, the server should immediately destroy the session.

BUG 25054521 - CONNECTION_CONTROL: MAKES IT TOO EASY TO DOS AS MAX_CONNECTIONS HIT

Hi,

Thanks for your report, we are already aware of this but the consensus is that this is not a bug. The rationale behind it is that 
one should not have connect control plugin on an WAN facing server that have grants open to %. The % host should never exist in production environment.

The reason why plugin keep the connection that long is to slow down the brute force attacks and we provide min/max delay configuration to configure per your dba wishes.

All in all, closing this as non-bug.

Thanks
Bogdan

I have to strongly disagree with the resolution given here.
I can accept that the connection control plugin need to delay the next login attempt to make brute-force attack harder, but at the same time this plugin must also be able to prevent that "waiting client" from consuming a mysql connection resource. The resource consumption in this case is unacceptable.

If a client makes more failed attempts than threshold, why not just reject the next connection attempt from same client until the delay is passed? 
Why allow it to make a connection and then stay connected during the whole waiting time allowing it to hold a valuable connection resource for such a long time?
I mean it must work like a connection throttling, not like queue.

Please please reopen this and consider revising this behavior of the connection control plugin.

Love & Regards