Hi, Marc, On Jul 22, Marc wrote:
Hi Sergei,
Not quite. max_user_connections limit is enforced after successful authentication - that's when the server knows the user name.
max_connections is enforced as soon as the client connects.
So yes, even when usera has reached max_user_connections limit, they can keep trying to connect and exhaust max_connections too, especially if they'll delay sending authentication packets.
So what about waiting a bit with dropping the connection of max_connections, so you can do
- get the send user name - check if the username is in max_user_connections limit - if it is limited drop the connection, but don't add it to the max_connections counter. - if it is not limited add the connection, and add it to max_connections counter.
disadvantage - is when you drop the connection for max_connections. You have to maybe postpone this a bit. - could this postponing be abused in a dos attack?
Yes, it could. Currently when usera has reached max_user_connections limit, they can keep trying to connect and exhaust max_connections too, especially if they'll delay sending authentication packets. If the server will delay enforcing of max_connections (that is, the server will not reject connections about max_connections at once), then this user in the above scenario will open all possible connections your OS can handle and the computer will become completely inaccessible. Currently only the MariaDB server will become inaccessible, but you can configure extra_port to always be able to access the server in such a case. Regards, Sergei Chief Architect, MariaDB Server and security@mariadb.org