DO0286-ORACLE11 - The Oracle INBOUND_CONNECT_TIMEOUT and SQLNET.INBOUND_CONNECT_TIMEOUT parameters should be set to a value greater than 0 - '$ORACLE_HOME/network/admin/sqlnet.ora SQLNET.INBOUND_CONNECT_TIMEOUT = 0'

Information

The INBOUND_CONNECT_TIMEOUT_[listener-name] and SQLNET.INBOUND_CONNECT_TIMEOUT defines the limit the database listener and database server respectively will wait for a client connection to complete after a connection request is made. This limit protects the listener and database server from a Denial-of-Service attack where multiple connection requests are made that are not used or closed from a client. Server resources can be exhausted if unused connections are maintained.

Solution

Using a text editor or administrative tool, modify the listener.ora file to include a limit for connection request timeouts for the listener.

Example entry (value unit is in seconds):

INBOUND_CONNECT_TIMEOUT_LISTENER = 2

Modify the sqlnet.ora file to include a limit for connection request timeouts for the listener.

Example entry (value unit is in seconds):

SQLNET.INBOUND_CONNECT_TIMEOUT = 3

Review the Oracle Net Services Administrator's Guide for information about configuring these parameters.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-12, CAT|II, Rule-ID|SV-24890r1_rule, STIG-ID|DO0286-ORACLE11, Vuln-ID|V-3862

Plugin: Unix

Control ID: b4eb952e0ddc6ac4cf424249c5166371e4747c2b2425b1c5288dd3f8b7a30eca