Limiting Resource Consumption by Unauthorized Users

14.7 Limiting Resource Consumption by Unauthorized Users

Unauthorized access to the listener or database server can result in denial-of-service attacks, whereby an unauthorized client attempts to block authorized users' ability to access and use the system when needed. Malicious clients may attempt to flood the listener or database server with connect requests that have the sole purpose of consuming resources, such as connections, processes, or threads. To mitigate these types of attacks, configure limits that constrain the time in which resources can be held prior to authentication.

Client attempts to exceed the configured limits result in connection terminations and an audit trail containing the IP address of the client being logged.

To limit the resource consumption by unauthorized users and enable the audit trail, set time-limit values for the parameters described in the following table. These parameters do not have default values.

Table 14-1 Connect-Timeout Parameters

Parameter File Description

Parameter	File	Description
`INBOUND_CONNECT_TIMEOUT_listener_name`	`listener.ora`	The time, in seconds, for the client to complete its connect request to the listener after the network connection had been established. If the listener does not receive the client request in the time specified, then it terminates the connection. In addition, the listener logs the IP address of the client and an `ORA-12525: Listener has not received client's request in time allowed` error message to the `listener.log` file.
`SQLNET.INBOUND_CONNECT_TIMEOUT`	`sqlnet.ora` on the database server	The time, in seconds, for a client to connect with the database server and provide the necessary authentication information. If the client fails to establish a connection and complete authentication in the time specified, then the database server terminates the connection. The database server logs the IP address of the client and an ORA-12170 error message to the database alert log file. The client receives either an ORA-12547: TNS:lost contact, or an ORA-12637: Packet receive failed error message.

INBOUND_CONNECT_TIMEOUT_listener_name

listener.ora

The time, in seconds, for the client to complete its connect request to the listener after the network connection had been established.

If the listener does not receive the client request in the time specified, then it terminates the connection. In addition, the listener logs the IP address of the client and an ORA-12525: Listener has not received client's request in time allowed error message to the listener.log file.

SQLNET.INBOUND_CONNECT_TIMEOUT

sqlnet.ora on the database server

The time, in seconds, for a client to connect with the database server and provide the necessary authentication information.

If the client fails to establish a connection and complete authentication in the time specified, then the database server terminates the connection. The database server logs the IP address of the client and an ORA-12170 error message to the database alert log file.

The client receives either an ORA-12547: TNS:lost contact, or an ORA-12637: Packet receive failed error message.

When specifying values for these parameters, consider the following recommendations:

Set both parameters to an initial low value.
Set the value of the INBOUND_CONNECT_TIMEOUT_listener_name parameter to a lower value than the SQLNET.INBOUND_CONNECT_TIMEOUT parameter.

For example, you can set INBOUND_CONNECT_TIMEOUT_listener_name to 2 seconds and INBOUND_CONNECT_TIMEOUT parameter to 3 seconds. If clients are unable to complete connections within the specified time due to system or network delays that are normal for the particular environment, then increment the time as needed.

Related Topics

Parent topic: Optimizing Performance