Notice: Monitoring services will be discontinued from March 31st, 2019.
The MySQL database is an integral part of many platforms. It drives popular platforms like Joomla, Drupal and WordPress. The "ET WEB_SERVER MYSQL Benchmark Command in URI to Consume Server Resources" is a kind of DoS attack. This signature detects possible attempts at a denial of service (DoS) of a MySQL database. By sending a large number of BENCHMARK commands, an attacker could consume server resources, delaying or denying access to the database by legitimate users.
BENCHMARK() is intended for measuring the runtime performance of scalar expressions. The BENCHMARK(count, expr) function executes the expression expr repeatedly count times. It may be used to time how quickly MySQL processes the expression. The result value is always 0. The intended use is from within the mysql client, which reports query execution times:
mysql> SELECT BENCHMARK(1000000,AES_ENCRYPT('hello','goodbye'));
+---------------------------------------------------+
| BENCHMARK(1000000,AES_ENCRYPT('hello','goodbye')) |
+---------------------------------------------------+
| 0 |
+---------------------------------------------------+
1 row in set (4.74 sec)
The time reported is elapsed time on the client end, not CPU time on the server end. It is advisable to execute BENCHMARK() several times, and to interpret the result with regard to how heavily loaded the server machine is.
Attacker inserts the Benchmark Commands in the URI, and sends multiple requests to consume the server resources, and because of that, the legitimate users will not get access to server when they wants.
There are lot of benchmark tools used by DBAs and developers load test their database servers. Some of them are: mysqlslap, httperf, wrk, DBT2, sysbench etc. They can emulate a large number of client connections hitting the database server at the same time. The load testing parameters are fully configurable and the results from different test runs can be used to fine-tune database design or hardware resources
wrk is a modern HTTP benchmarking tool capable of generating significant load when run on a single multi-core CPU. It combines a multithreaded design with scalable event notification systems such as epoll and kqueue.
example:
wrk -t12 -c400 -d30s http://127.0.0.1:8080/index.html
This runs a benchmark for 30 seconds, using 12 threads, and keeping 400 HTTP connections open.
There are some solutions for this type of attacks:
- Connections (the length of time allowed for connecting to a database)
- Commands (the length of time allowed for a query/procedure to run)