MySQL Connection Control Plugin Brute Force Protection
This article explains the purpose and functionality of the MySQL connection control plugin in mitigating brute-force attacks. We will cover how the plugin delays connection responses after consecutive failed login attempts, how to configure its key variables, and why it is an essential tool for securing database servers against unauthorized access.
A brute-force attack involves an attacker repeatedly attempting to guess database passwords using automated scripts. Because MySQL can process thousands of login requests per second, an attacker with enough time and computing power can eventually compromise weak credentials. The MySQL connection control plugin is designed specifically to disrupt this attack vector by introducing latency into the connection process.
How the Connection Control Plugin Works
Instead of blocking IP addresses entirely, the connection control plugin slows down the server’s response time for failed login attempts. When a client fails to authenticate, the plugin tracks the failure. Once the number of consecutive failed attempts crosses a predefined threshold, the plugin forces a delay before sending the authentication failure response back to the client.
This delay has two primary defensive benefits: 1. Throttling the Attacker: By forcing a delay (e.g., 1 to 2 seconds per attempt), the rate at which an attacker can guess passwords drops from thousands per minute to just a few. This makes brute-forcing highly inefficient and practically useless. 2. Resource Preservation: It prevents the MySQL server from being overwhelmed by authentication overhead during a high-velocity attack.
Key Configuration Variables
To implement this protection, MySQL provides two main plugins:
CONNECTION_CONTROL (which handles the delays) and
CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS (an information
schema table that tracks failed attempts).
Administrators can configure the behavior of these plugins using three system variables:
connection_control_failed_connections_threshold: This defines the number of consecutive failed connection attempts allowed before the server begins imposing a delay. The default is typically 3.connection_control_min_connection_delay: The minimum delay (in milliseconds) applied to connection responses once the threshold is exceeded. For example, a value of 1000 represents a 1-second delay.connection_control_max_connection_delay: The maximum delay (in milliseconds) the server can impose. This prevents the delay from growing infinitely, capping it at a manageable limit (e.g., 10000 milliseconds or 10 seconds).
Once a client successfully authenticates, the consecutive failure counter for that specific account/host combination resets, and subsequent successful connections occur without any artificial delay. By enabling and configuring this plugin, database administrators can significantly harden their MySQL instances against automated password-guessing exploits.