Magento – F5 key Flood and “Error log record number reporting” page

magento-1.9MySQLSecurity

I have a VM testing Magento. Configuration is classic LAMP. Everything works fine but I discovered a big issue in running Magento. F5 flood.

1) Visit any page you want.

2) Keep F5 key pressed. Page refreshes in not time.

3) After a few seconds you will get "There has been an error processing your request" title page having content:

There has been an error processing your request
Exception printing is disabled by default for security reasons.
Error log record number: 535430423605

4) Continue keeping F5 pressed. You can see log number changes. Do this for 2 minutes at least.

5) Go to magento installation forlder then /var/report. You will see tons of logs. All of them telling you "User admin already has more than 'max_user_connections' active connections"

Conclusion

1) The number of logs is huge. Same IP, session, same user, why tons of logs? Just one should be fine!

2) Size space for every log file is around 3k. In 60 seconds I could get 20M occupied with the logs. Imagine someone who will continue for 1 day how big will become the size of report folder.

Question

1) Is there any option in Magento to prevent such of abuse from reloading a page and not generating tons of reports or even the report page? Like making the visitor you have a cache server or load balancing because he can keep 5 minutes F5 and when he release the key everything loads as normal. Having just one report and other page then the one with error report and seeing lots of new error report is not normal, this really push to abuse a visitor seeing something like that.

2) What is the best way to get rid off this situation, generation error report situation, this ugly page?

Thank you!

Best Answer

The attack vector you should worry about is not certain user pressing F5 for 5 minutes or a day but any program or script that automatically calls your website. Setting a connection limit prevents from high load on the server which can be caused by a DoS (Denial of Service) attack.

max_user_connections is the maximum number of simultaneous connections permitted to any given MySQL user account (your MySQL-user seems to be admin). The default value for max_user_connections is 0 (which means "no limit", see MySQL documentation).

If your are on a shared host who has set this limit for your webspace, there will be (hopefully) a valid reason.

One reason for this setting to be applied on shared hosting could be that it prevents other clients services if one of the clients on the shared host gets DoS-attacked. It does not kill the whole (MySQL-)Server in this case.

Update: I overread that you do testing in a local VM. So you this configuration is up to you. You can adjust the limit in /etc/my.cnf

Ways of coping with it:

  • Adjust your setting on your local VM.
  • If on shared hosting: Talk to your provider if he can/wants to raise the limit for you (if he can)
  • For the live webshop: Move to a dedicated server where you can control and adjust these settings
  • Caching can help to reduce the number of requests to your database-server
  • Check the var/report directory and empty old reports regularly or even better: Set up monitoring which checks the var/report directory for the amount of files and gives you a warning.
  • Regarding the "ugly page": The error-report page can be adapted to your webshop-design.
Related Topic