How to protect s9y from mySQL sleep injections

Random stuff about serendipity. Discussion, Questions, Paraphernalia.
Post Reply
schimanke
Regular
Posts: 161
Joined: Mon Jan 07, 2008 4:38 pm
Location: Hameln, Germany
Contact:

How to protect s9y from mySQL sleep injections

Post by schimanke »

Hi everybody,

since last weekend my blog is under attackt from some servers in China. Specifically they call the URL of some older posts and add a SQL sleep injection to it which causes my blog to become offline after some time with the database reporting "max_user_connections". Is there anything I can do against it?

I'm currently using s9y 1.7.3 with PHP 5.4.44.

Any help is highly appreciated!
Thank you!
Timbalu
Regular
Posts: 4598
Joined: Sun May 02, 2004 3:04 pm

Re: How to protect s9y from mySQL sleep injections

Post by Timbalu »

I don't think they send you a sleep injection. They just flood your system in a kind of DDOS attack and this makes your server report the "max_user_connections". Servers normally have limited resources and then just die away.

The only way to fight this, is to work with iptables firewall, which can be configured to deny Server connect access to all IPs from APNIC (Asia-Pacific Network) for example, specific IP ranges or exact IPs. But this is outside the scope of Serendipity. Talk to your hoster (but do not hope!). :)

An S9y Update would be nice too, but would only help in cases where bugs were fixed regarding SQL injections.
Regards,
Ian

Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
schimanke
Regular
Posts: 161
Joined: Mon Jan 07, 2008 4:38 pm
Location: Hameln, Germany
Contact:

Re: How to protect s9y from mySQL sleep injections

Post by schimanke »

Thanks for your reply!

I found several entries in my log which looked like this:

"GET /index.php?url=archives%2F3763-Kein-Video-Out-ueber-den-neuen-Lightning-Connector-UPDATE.html%27%20AnD%20sLeep%283%29%20ANd%20%271&serendipity= HTTP/1.0" 200 69456 schimanke.com "-" "Opera/9.27" "-"

There you can see the attempt of the sleep injection. My provider identified those attempts as the cause of the problems.

So basically, if I get you right, there is nothing I can do about it except blocking visitors from APNIC?
Timbalu
Regular
Posts: 4598
Joined: Sun May 02, 2004 3:04 pm

Re: How to protect s9y from mySQL sleep injections

Post by Timbalu »

This means

Code: Select all

' AnD sLeep(3) ANd '1&serendipity=
and the rest is hidden. It is a SQL inject attack, yes (btw a dump and stupid one). But it does not send your Server asleep, I think. They just DDOS you and your Server gives up.

To be sure there is nothing injective open in your version it is better to update. Yes! But I am still afraid this won't help you with DDOS attacks, or better say: too many connections at the same time. You can only avoid this by denying access to this playground.
Regards,
Ian

Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
schimanke
Regular
Posts: 161
Joined: Mon Jan 07, 2008 4:38 pm
Location: Hameln, Germany
Contact:

Re: How to protect s9y from mySQL sleep injections

Post by schimanke »

Okay, thanks again!
I will talk to my provider and see if they can do anything for me.

Updating to s9y 2.0.2 will be my next step anyway. :-)
Czorneboh
Regular
Posts: 385
Joined: Tue Apr 08, 2008 7:17 pm
Location: Berlin
Contact:

Re: How to protect s9y from mySQL sleep injections

Post by Czorneboh »

Hi,

that topic is interesting for me as well.
In the current version of the journal iX 9/2015 on page 87 ff. there is an article about how to defend against DDoS-attacks, "Von überall her - Internetdienste vor DDoS-Angriffen schützen"

"There are practically no solutions for the local infrastructure to prevent heavy DDoS-attacks"

A keyword is "Varnish". Once I had that shield for my blog. Visitors get the page from a cache server or several (by using load balancing). My website was loading fast (normally quiet slow because of many used plugins and pictures). But I could not see changes I made on the front page promptly, because the page was actualized on the cache server only a view times per day.

Usually (after what I have experienced) there are no or rare information about support with Varnish at websites of providers. I do not know what this usually cost.

There was an article about Varnish in iX 4/2015
https://www.heise.de/artikel-archiv/ix/ ... 68_Anschub.
Post Reply