Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Security : Denial Of Service

Re: Security : Denial Of Service

From: Pete Finnigan <>
Date: Mon, 10 Nov 2003 05:04:25 -0800
Message-ID: <>

Hi Sami,

The issue you mention is a conundrum!. I think you need to consider which is the greater risk and use your judgement to secure against this particular issue.

I mention the same issue in the SANS book "Oracle security step-by-step" that it is advisable to use a profile and set failed_login_attempts to prevent brute force attacks BUT this parameter could also lead to denial of service attack.

The issue is that it would be a denial of service for the particular users account that is affected rather than all users (I am not saying this is a better denial of service as far as the database owner is concerned).

You have to take a wider view and understand how someone could mount a brute force attack against your database. They would need a list of

users to start with. Default accounts spring to mind!!. either remove
these or lock them and definitely change the passwords. protect all
avenues where someone could get a list of all users, i.e. dictionary
views, export files, trace files, program scripts with names in etc.... protect users accounts with sensible secure passwords. Don't post details of users accounts, database structure etc to newsgroups. As always least privilege principle should be observed for all users. If an attacker or employee cannot get a list of users he is limited to brute forcing default accounts, these should be less of an issue where denial of service is concerned due to password failed attempts as generally you should not be logging in as these users regularly. You have to consider the whole picture and secure your data accordingly. have a look at some of the oracle security papers on my site sec.htm.

I think Paul is annoyed because you have suggested a denial of service method on a mailing list that is easy to find because of the title of your email!

kind regards


Pete Finnigan
Web site: - Oracle security audit specialists Book:Oracle security step-by-step Guide - see for details.


Please see the official ORACLE-L FAQ:

Author: Pete Finnigan

Fat City Network Services    -- 858-538-5051
San Diego, California        -- Mailing list and web hosting services
To REMOVE yourself from this mailing list, send an E-Mail message to: (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Mon Nov 10 2003 - 07:04:25 CST

Original text of this message