A Very Sleepy MySQL Attack

The real problem here is SQL injection... Not sleep

<i>why do vanilla MySQL packages come with SLEEP() even enabled? Why not make it an option?</i><p>Because it&#x27;s a good &quot;canary&quot; for SQL injection: it doesn&#x27;t do any real damage, but it&#x27;s noticeable enough to tell you that you have a possibly vulnerable condition.

SQL injection is pretty non-existent these days as frameworks and WAF evolves (assuming a company doing at least minimum of security practices). It doesn&#x27;t seem there&#x27;s a point in blocking such attacks at the DBMS side.<p>Given the function has a valid use and there are other ways to do damage to the database system, I don&#x27;t see it&#x27;s something that stands out. There are numerous ways for doing database probe or even RCE, thus this is no more than one of them.

Btw, PostgreSQL has pg_sleep()<p><a href="https:&#x2F;&#x2F;www.postgresql.org&#x2F;docs&#x2F;current&#x2F;functions-datetime.html" rel="nofollow">https:&#x2F;&#x2F;www.postgresql.org&#x2F;docs&#x2F;current&#x2F;functions-datetime.h...</a><p><pre><code> SELECT pg_sleep(1.5); SELECT pg_sleep_for(&#x27;5 minutes&#x27;); SELECT pg_sleep_until(&#x27;tomorrow 03:00&#x27;); </code></pre> Maybe useful for debugging? <a href="https:&#x2F;&#x2F;www.endpoint.com&#x2F;blog&#x2F;2012&#x2F;11&#x2F;05&#x2F;how-to-make-postgresql-query-slow" rel="nofollow">https:&#x2F;&#x2F;www.endpoint.com&#x2F;blog&#x2F;2012&#x2F;11&#x2F;05&#x2F;how-to-make-postgre...</a>

If you take away SLEEP, the attacker will exploit something else during their test. Better SLEEP than really badly customized DROP or DELETE statements to see if their last created resource is affected.<p>Why not monitor for SLEEP execution instead?

I don&#x27;t get it. &quot;This makes discovery very slightly easier (only in the most awful sql-injection code you can imagine)&quot;. Why should we care about that?

If you are vulnerable to `sleep()` you are vulnerable to `drop table...` and `select * from users...` . Sleep is not the issue at all.

Isn&#x27;t there a way to make the database very slow by a complicated but generic query. Thinking about e.g. oracle&#x27;s connect by + dual<p>If this is the case, removing sleep doesnt help you. Just run a slow query

that is why you put your database behind a firewall and not expose its port to the public internet. There is really no need except for a handful of really edge cases where you have to expose the port to the internet even then you can limit the access to specific hosts only.