10.5 Using Oracle Connection Manager to Prevent Denial-of-Service Attacks

You can enforce a limit on the number of client connections that Oracle Connection Manager (CMAN) can handle from an IP address in a specific time interval.

Malicious clients can send excessive connection requests to the server node. This can saturate the capacity of CMAN to handle new connections per second, and thus cause denial-of-service (DoS) attacks on your database. Using the IP rate limit feature, you can limit the maximum number of new connections allowed from an IP address. This helps to prevent DoS attacks by detecting malicious clients early and rejecting those connections.

To enforce IP rate limit, set the IP_RATE_COUNT parameter in the cman.ora configuration file. This parameter specifies the number of connections that are allowed from a single IP address. The specified IP rate limit is enforced at the CMAN endpoint level.

If required, you can also set the following optional parameters in the cman.ora file:
  • IP_RATE_INTERVAL: Specifies the time interval, in seconds, for which IP_RATE_COUNT connections are accepted from the IP address.

  • IP_RATE_BLOCK: Specifies the duration, in minutes, for which the IP address is blocked after exceeding the specified IP rate limit.

If a connection exceeds the IP_RATE_COUNT per IP_RATE_INTERVAL limit, then CMAN rejects the IP address and blocks it for IP_RATE_BLOCK minutes. CMAN records an IP rate limit enforced for ip address error message in the Oracle Connection Manager log file.