Introduction
MySQL 5.7.17+ introduced Connection Control Plugins[1] to combat brute force attacks by adding response delays after failed login attempts.
Risks of Misconfiguration
Improper use may cause:
- Connection pileups: Invalid attempts (e.g., monitoring systems using nonexistent users) consume connections.
- Database hangs: Delays prevent quick connection release, triggering
too many connectionserrors.
1. Problem Scenario
Case Study: A client enabled the plugin while their monitoring system used invalid credentials (igcam user). This caused:
Connectstate connections to accumulatemax_connectionslimit reached- Service disruption via
too many connectionserrors
Root Cause:
The plugin records failed attempts even for deleted users. After exceeding connection_control_failed_connections_threshold (default=3), it imposes growing delays, tying up resources.
2. Reproduction & Testing
2.1 Plugin Installation
Two components:
CONNECTION_CONTROL: Enforces delaysCONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS: Logs attempts
2.2 Key Parameters
2.3 Test Case
Create/delete test user:
CREATE USER monitor@'127.0.0.1' IDENTIFIED BY 'monitor';
GRANT PROCESS, REPLICATION CLIENT, SELECT ON *.* TO monitor@'127.0.0.1';
DROP USER monitor@'127.0.0.1';
Simulate connection limit:
SET GLOBAL max_connections=5;
Observe delayed responses:
while true; do
time mysql -umonitor -p'monitor' -h127.0.0.1 -P3306 2>/dev/null
done
2.4 Delay Mechanism
- First 3 attempts: Immediate failure
- Subsequent attempts: Delay =
min_delay × (attempts - threshold)- Attempt 4: 1s delay
- Attempt 5: 2s delay
- ...
2.5 Counter Reset
Counters reset to 0 after successful authentication, but existing delays remain until completion.
%20(2048%20x%201000%20%E5%83%8F%E7%B4%A0)%20(3).png)
%20(2048%20x%201000%20%E5%83%8F%E7%B4%A0)%20(2).png)
