While you normally would not allow access to a MySQL server, it is done in many instances like shared hosting. Also mysql does support a max fail connection attempts feature that will blacklist an IP for a time.
On Fri, Oct 11, 2013 at 3:37 PM, Richard Low <rich...@wentnet.com> wrote: > On 11 October 2013 14:03, <thorsten.s...@t-systems.com> wrote: > >> I found the issue below concerning inactive client connections (see >> *Cassandra >> Security*<http://jkb.netii.net/index.php/pub/sinosqldb/cassandra-security>). >> We are using Cassandra 1.2.4 and the Cassandra JDBC driver as client. Is >> this still an existing issue? >> Quoted from site above: >> Denial of Service problem: >> Cassandra uses a Thread- Per-Client model in its network code. Since >> setting up a connection requires the Cassandra server to start a new thread >> on each connection (in addition to the TCP overhead incurred by the >> network), the Cassandra project recommends utilizing some sort of >> connection pooling. An attacker can prevent the Cassandra server from >> accepting new client connections by causing the Cassandra server to >> allocate all its resources to fake connection attempts. The only pieces of >> information required by an attacker are the IP addresses of the cluster >> members, and this information can be obtained by passively sniffing the >> network. The current implementation doesn’t timeout inactive connections, >> so any connection that is opened without actually passing data consumes a >> thread and a file-descriptor that are never released. >> > > This is still an issue, but you must not expose Cassandra to untrusted > users. Just like you wouldn't let untrusted users have network access to > your Oracle, MySQL, etc. servers. > > Richard. > >> >
