MySQL usage problem

[vamos]

Hi! I'm running with a protected server against DDoS, problem is the next, due to some IP/seconds that connect to my website, some MySQL request is sent to the MySQL server, here's an example of the problem:

76429 mysql     164  61    0 58556M 28979M RUN     4 109:30 604.98% mysqld

So MySQL is busy after it, how can I maybe limit MySQL request or make it better?

Thanks in advance.

 

[SirDice]

Don't allow access to MySQL, plain and simple.

 

[vamos]

MySQL is allowed for my webserver only, attack goes to port 80, the webserver blocks these attacks but it still makes some requests and MySQL is just as busy. Maybe a better configuration can make something?

 

[SirDice]

Are you sure the attack is blocked? It sounds like your web application has an SQL injection vulnerability.

 

[vamos]

The IP that attacks my website is restricted with

iptables -N SYN-LIMIT
iptables -A SYN-LIMIT -m hashlimit --hashlimit 8/second --hashlimit-mode srcip --hashlimit-name SYN-LIMIT -j RETURN
iptables -A SYN-LIMIT -j DROP
iptables -I INPUT -p tcp --dport 80 --syn -j SYN-LIMIT
iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 6 -j REJECT --reject-with tcp-reset

Then, they send anyway request to MySQL because they can access to website in fact but limited.

 

[SirDice]

Is this about FreeBSD or not? FreeBSD doesn't have IPTables, that's a Linux thing.

It doesn't matter how you limit access to the web application. If there's an SQL injection bug in your web application all they need is one single connection to exploit it. I suggest taking a really good look at the web site itself. Plug any and all SQL injection holes.

 

[kpa]

Can you rule out a misconfiguration on your server? Such runaway processes can happen for many other reasons than a denial of service attack.

 

[vamos]

It's been about FreeBSD, my Debian web server connects to my MySQL FreeBSD server, the problem is about MySQL.

@@kpa this has been a SYN spoofed attack but I block it, the problem has been about MySQL requests due to some IP spoofed.

 

[SirDice]

@@kpa this has been a SYN spoofed attack but I block it, the problem has been about MySQL requests due to some IP spoofed.

That's simply not possible if the MySQL server is only available from the website. None of the traffic originating on the Internet should be able to get to your MySQL server.

 

[storvi_net]

Do you have two separated servers in different IP ranges? Where are these servers placed?

Markus

 

[vamos]

Do you have two separated servers in different IP ranges? Where are these servers placed?

Markus

Yes, Switzerland.