1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mysql attack

Discussion in 'Server Configuration and Hosting' started by surge, Dec 17, 2014.

  1. surge

    surge Member

    Hey,
    Someone came on my website today,
    [​IMG]
    This isn't a new person, he regularly takes down the forums, but I have been neglecting it and he has gotten bored and tired of it. However the new moderator application format in and everyone rushed to the forums, and he took it down. No more neglecting this I need to fix this.
    Zend_Db_Adapter_Mysqli_Exception: Too many connections - library/Zend/Db/Adapter/Mysqli.php:333
    Generated By: Unknown Account,

    Anyway when I googled this, a lot of people were replying to similar problems saying "that the traffic is too big" when this is nothing but an attack.

    Code:
    Zend_Db_Adapter_Mysqli_Exception: Too many connections - library/Zend/Db/Adapter/Mysqli.php:333
    Generated By: Unknown Account, Today at 7:26 AM
    Stack Trace
    #0 /home/squadcra/public_html/library/Zend/Db/Adapter/Abstract.php(315): Zend_Db_Adapter_Mysqli->_connect()
    #1 /home/squadcra/public_html/library/XenForo/Application.php(719): Zend_Db_Adapter_Abstract->getConnection()
    #2 [internal function]: XenForo_Application->loadDb(Object(Zend_Config))
    #3 /home/squadcra/public_html/library/XenForo/Application.php(960): call_user_func_array(Array, Array)
    #4 /home/squadcra/public_html/library/XenForo/Application.php(991): XenForo_Application->lazyLoad('db', NULL)
    #5 /home/squadcra/public_html/library/XenForo/Application.php(1561): XenForo_Application::get('db')
    #6 /home/squadcra/public_html/library/XenForo/Model.php(161): XenForo_Application::getDb()
    #7 /home/squadcra/public_html/library/XenForo/Model/DataRegistry.php(138): XenForo_Model->_getDb()
    #8 /home/squadcra/public_html/library/XenForo/Model/DataRegistry.php(97): XenForo_Model_DataRegistry->_getMultiFromDb(Array)
    #9 /home/squadcra/public_html/library/XenForo/Dependencies/Abstract.php(147): XenForo_Model_DataRegistry->getMulti(Array)
    #10 /home/squadcra/public_html/library/XenForo/FrontController.php(127): XenForo_Dependencies_Abstract->preLoadData()
    #11 /home/squadcra/public_html/index.php(13): XenForo_FrontController->run()
    #12 {main}
    Request State
    array(3) {
    ["url"] => string(22) "http://squadcraft.net/"
    ["_GET"] => array(0) {
    }
    ["_POST"] => array(0) {
    }
    }
    

    Anyway so what I think he is doing, is spam opening mysql connections untill the website goes down? when I restart apache the website briefly goes back online for 5 seconds.

    So I need a way to limit mysql connections per ip or something along those lines. Is that the right way to fix this problem? Are there any negative effects in reducing the total connections per ip address? Can someone tell me exactly what to do? I am an expect.
     
  2. RoldanLT

    RoldanLT Well-Known Member

    Install and enable CSF on your server.
    I have the same experience last month.
     
  3. surge

    surge Member

    Hey, could you please tell me it's name in longer words? or maybe link me? thanks so much.
     
  4. RoldanLT

    RoldanLT Well-Known Member

    WSWD likes this.
  5. WSWD

    WSWD Well-Known Member

  6. RoldanLT

    RoldanLT Well-Known Member

    Different problem with me, Mysql doesn't hang up or goes down but PHP-FPM stop on responding when they started the attack.
     
  7. WSWD

    WSWD Well-Known Member

    Is this a VPS or dedicated server or shared hosting?
     
  8. Tracy Perry

    Tracy Perry Well-Known Member

    If you are on a shared hosting environment you are going to be very limited on what you can do.
    If you are on a VPS or dedicated server, ConfigServer Security & Firewall (CSF) will work (well, I have come across a few VPS providers that you cannot use all the CSF features on). CSF has the ability to throttle concurrent connections from one IP.
    What you may be getting hit with is a the WordPress Pingback DOS attack. It is going to be a little more difficult to mitigate it due to it being a layer 7 DDOS attack vector.
    Check your logs and see if you have anything similar to
    Code:
    GET /?4137049=6431829 HTTP/1.0" 403 0 "-" "WordPress/3.8; http://www.mtbgearreview.com"
    in them (special attention being paid to the Wordpress/3.8 - the 3.8 will vary with the versions of WordPress it is).
     
  9. rainmotorsports

    rainmotorsports Well-Known Member

    I actually got hit by one of these and a dirty rule in nginx to filter all http 1.0 traffic was very effective in nullifying the attack. Which I think defies conventional wisdom but...

    Long term the plan was to filter only traffic containing WordPress in the useragent however this sort of filtering might severely increase the load caused by such a rule. I wouldn't know.
     
  10. DRaver

    DRaver Active Member

    Can you show me that rule?
     
  11. rainmotorsports

    rainmotorsports Well-Known Member

    I can't say this is recommended however:
    Code:
    if ($server_protocol ~* "HTTP/1.0") {
        return 444;
    } 
     
  12. Tracy Perry

    Tracy Perry Well-Known Member

    This should work as well (if not better)
    Code:
         if ($http_user_agent ~* (Wordpress|Baidu|Morfeus|ZmEu|Baiduspider|Jullo|Yandex|Sogou|Baidu) ) {
            return 444;
         }
    The added benefit is it also gives to boot to a few bots also.
     
  13. euantor

    euantor Well-Known Member

    So long as you don't want Baidu/Yandex crawling, but who does anyway?
     
  14. Tracy Perry

    Tracy Perry Well-Known Member

    Yep... that's what the "gives the boot to a few bots" meant. :p
     
    euantor likes this.
  15. DRaver

    DRaver Active Member

    So what is using HTTP/1.0 now in the real world?
     
  16. Zehtuka

    Zehtuka Member

    I think only bots?
     
  17. DRaver

    DRaver Active Member

    Google bot?
     

Share This Page