Please see my other blog for Oracle EBusiness Suite Posts - EBMentors

Search This Blog

Note: All the posts are based on practical approach avoiding lengthy theory. All have been tested on some development servers. Please don’t test any post on production servers until you are sure.

Wednesday, November 13, 2013

Avoiding Logon Storm (DoS) on Oracle Database

A Logon storm is a sudden spike in the number of client connection requests. Logon storms can occur due to a variety of factors. They could be malicious like a DoS attack. Or they could occur due to administrative actions – such as a middle tier coming online.


The process of starting a database session has inherent CPU costs associated with it - from the creation of a new OS process to attaching to the SGA. Every system has a limit above which the spawning of new database sessions can starve existing sessions of CPU resources. This could result in many unexpected consequences including application timeouts, increased response times, un-responsiveness and other cascading effects. 
Oracle11g, supports throttling of incoming connections. With the Connection Rate Limiter feature, You can specify limits on the number of new connections handled by the listener. When a limit is specified, the Listener imposes an artificial limit on the number of new connections it handles every second. This slows down the rate of database session creation, which lowers the the amount of CPU resources used for servicing incoming connections
Connection Rate Limiter Parameters
This feature is controlled through the two listener.ora configuration parameters:

CONNECTION_RATE_listenername

It is used to specify a global rate that is enforced across all listening endpoints that are rate-limited. When this parameter is specified, it overrides any endpoint-level numeric rate values that might be specified.

RATE_LIMIT

It is used to indicate that a particular listening endpoint is rate limited. The parameter is specified in the ADDRESS section of the listener endpoint configuration.
Example 1
Int the below example, the total number of new connections through ports 1521 and 1522 is limited at 10 every second. Connections through port 1523 are not limited and do not count towards the overall rate of 10 connections every second.




CONNECTION_RATE_LISTENER=10

LISTENER= 
  (ADDRESS_LIST=
   (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521)(RATE_LIMIT=yes))
   (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1522)(RATE_LIMIT=yes))
   (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1523))
   )

Example 2
In the example below, the connection rates are enforced at the endpoint level. A maximum of 5 connections are processed through port 1521 every second. The limit for connections through port 1522 is 10 every second. Connections through port 1523 are not limited.

LISTENER= (ADDRESS_LIST=
   (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521)(RATE_LIMIT=5))
   (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1522)(RATE_LIMIT=10))
   (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1523))
   )


Remember If you specify CONNECTION_RATE_LISTENER, then the limits on ports 1521 and 1522 are ignored, and the global value is used instead.

No comments: