# MySQL usage problem



## vamos (Jul 2, 2013)

Hi! I'm running with a protected server against DDoS, problem is the next, due to some IP/seconds that connect to my website, some MySQL request is sen_t_ to the MySQL server, here's an ex_a_mple of the problem:

```
76429 mysql     164  61    0 58556M 28979M RUN     4 109:30 604.98% mysqld
```
So MySQL is busy after it, how can I maybe limit MySQL request or make it better_?_

Thanks in advance.


----------



## SirDice (Jul 2, 2013)

Don't allow access to MySQL, plain and simple.


----------



## vamos (Jul 2, 2013)

MySQL is allowed for my webserver only, attack goes to port 80, _the_ webserver block_s_ these attacks but it still makes some requests and MySQL is just as busy. Maybe a better configuration can make something*?*


----------



## SirDice (Jul 2, 2013)

Are you sure the attack is blocked? It sounds like your web application has an SQL injection vulnerability.


----------



## vamos (Jul 2, 2013)

The IP that attacks my website is restricted with 

```
iptables -N SYN-LIMIT
iptables -A SYN-LIMIT -m hashlimit --hashlimit 8/second --hashlimit-mode srcip --hashlimit-name SYN-LIMIT -j RETURN
iptables -A SYN-LIMIT -j DROP
iptables -I INPUT -p tcp --dport 80 --syn -j SYN-LIMIT
iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 6 -j REJECT --reject-with tcp-reset
```
Then, they send anyway request to MySQL because they can access to website in fact but limited.


----------



## SirDice (Jul 2, 2013)

Is this about FreeBSD or not? FreeBSD doesn't have IPTables, that's a Linux thing.

It doesn't matter how you limit access to the web application. If there's an SQL injection bug in your web application all they need is one single connection to exploit it. I suggest taking a really good look at the web site itself. Plug any and all SQL injection holes.


----------



## kpa (Jul 2, 2013)

Can you rule out a misconfiguration on your server? Such runaway processes can happen for many other reasons than a denial of service attack.


----------



## vamos (Jul 2, 2013)

It's been about FreeBSD, my Debian web server connect*s* to my *MySQL* FreeBSD server, the problem is about MySQL*.*

@@kpa this *ha*s been *a* SYN *s*poofed attack but I block it, the problem *ha*s been about MySQL requests due to some IP spoofed*.*


----------



## SirDice (Jul 2, 2013)

vamos said:
			
		

> @@kpa this *ha*s been *a* SYN *s*poofed attack but I block it, the problem *ha*s been about MySQL requests due to some IP spoofed*.*


That's simply not possible if the MySQL server is _only_ available from the website. None of the traffic originating on the Internet should be able to get to your MySQL server.


----------



## storvi_net (Jul 2, 2013)

Do you have two separated servers in different _IP_ ranges? Where are these servers placed?

Markus


----------



## vamos (Jul 2, 2013)

storvi_net said:
			
		

> Do you have two separated servers in different _IP_ ranges? Where are these servers placed?
> 
> Markus


Yes, Switzerland.


----------

