Thursday 8 July 2010

Quirky Oracle DOS attack option

As of 11g, Oracle has implemented a number of built-in password protections. One such protection is retarding login attempts when an incorrect password is used. After three failed attempts, Oracle will retard login for several seconds up to approximately 10 seconds on successive attempts.

The documentation states that if the correct password is entered, log in occurs without delay. However, this is not quite true. Take the following situation: A new application is trying to connect to the database but is configured with the wrong password. Typically configured with some connection pooling, this will very quickly reach the 10 second delay. Now, whilst this new application is trying to incorrectly connect to the database, ALL attempts (correct and incorrect) to connect to that database user are delayed. This means existing applications will but delayed even though they have the correct credentials.

I experienced this on 11.1.0.7.0. Let's hope Oracle come up with a fix!