MS SQL Reflection Attack Technique
Date: 13 March 2015
The purpose of this alert is to bring attention to recently published security risks associated with Microsoft SQL Server Resolution Protocol (MC-SQLR).
CCIRC is aware, through open source reporting, of a technique that tampers with the Microsoft SQL Server Resolution Protocol for the purpose of launching a reflection-based denial of service (DDOS) attack.
The attack occurs when a Microsoft SQL Server responds to a client query or request, attempting to exploit the Microsoft SQL Server Resolution Protocol (MC-SQLR), listening on UDP port 1434.
The SQL Resolution Protocol is invariably used each time that a client needs information on an MS SQL Server. When connected to a database server, the server responds to the client with a list of database instances using the MC-SQLR protocol and assists in identifying which database instances they are attempting to communicate with.
Attackers can leverage SQL servers by executing scripted requests using a spoofed IP address to make it appear that it is coming from the intended target. The number of existing instances present on the affected SQL server determines the strength or amplification factor of the attack.
CCIRC recommends the following mitigations and work around to affected applications accordingly:
- The use of ingress and egress filters applied to SQL Server ports at firewalls, routers, or edge devices may prevent this attack. If there is a business case for keeping UDP 1434 open, it should be filtered to only allow trusted IP addresses.
- Block inbound connections from the Internet, if ports are not needed for external access or administration.
- SQL Server Resolution Protocol service is not needed in servers that have only one database instance. It has been disabled by default since Microsoft SQL Server 2008 however it is enabled on earlier versions and the desktop engine versions. Consider disabling SQL Server Resolution Protocol service to prevent the abuse of SQL Server.
- If the use of SQL Server Resolution Protocol service is needed, add an additional layer of security before the service is accessed, such as authentication via secure methods (SSH, VPN) or filtering.
MS SQL Reflection DDos Attacks
SQL Server Browser Service
Connecting to SQL Server over the Internet
MS SQL Server Resolution Service enables reflected DDoS with 440x amplification
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
- Date modified: