Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Security : Denial Of Service

Re: Security : Denial Of Service

From: Pete Finnigan <oracle_list_at_peterfinnigan.demon.co.uk>
Date: Mon, 10 Nov 2003 05:04:25 -0800
Message-ID: <F001.005D6380.20031110050425@fatcity.com> 





Hi Sami,



The issue you mention is a conundrum!. I think you need to consider
which is the greater risk and use your judgement to secure against this
particular issue. 



I mention the same issue in the SANS book "Oracle security step-by-step"
that it is advisable to use a profile and set failed_login_attempts to
prevent brute force attacks BUT this parameter could also lead to denial
of service attack.



The issue is that it would be a denial of service for the particular
users account that is affected rather than all users (I am not saying
this is a better denial of service as far as the database owner is
concerned). 



You have to take a wider view and understand how someone could mount a
brute force attack against your database. They would need a list of

users to start with. Default accounts spring to mind!!. either remove
these or lock them and definitely change the passwords. protect all
avenues where someone could get a list of all users, i.e. dictionary


views, export files, trace files, program scripts with names in etc....
protect users accounts with sensible secure passwords. Don't post
details of users accounts, database structure etc to newsgroups. As
always least privilege principle should be observed for all users. If an
attacker or employee cannot get a list of users he is limited to brute
forcing default accounts, these should be less of an issue where denial
of service is concerned due to password failed attempts as generally you
should not be logging in as these users regularly. You have to consider
the whole picture and secure your data accordingly. have a look at some
of the oracle security papers on my site http://www.petefinnigan.com/ora
sec.htm.



I think Paul is annoyed because you have suggested a denial of service
method on a mailing list that is easy to find because of the title of
your email!



kind regards



Pete


-- 



Pete Finnigan


email:pete_at_petefinnigan.com


Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.



-- 



Please see the official ORACLE-L FAQ: http://www.orafaq.net


-- 



Author: Pete Finnigan


  INET: oracle_list_at_peterfinnigan.demon.co.uk


Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------


To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Mon Nov 10 2003 - 07:04:25 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US