MS SQL Reflection Attack Technique

Number: AL15-003
Date: 13 March 2015

Purpose

The purpose of this alert is to bring attention to recently published security risks associated with Microsoft SQL Server Resolution Protocol (MC-SQLR).

Assessment

CCIRC is aware, through open source reporting, of a technique that tampers with the Microsoft SQL Server Resolution Protocol for the purpose of launching a reflection-based denial of service (DDOS) attack.

The attack occurs when a Microsoft SQL Server responds to a client query or request, attempting to exploit the Microsoft SQL Server Resolution Protocol (MC-SQLR), listening on UDP port 1434.

The SQL Resolution Protocol is invariably used each time that a client needs information on an MS SQL Server. When connected to a database server, the server responds to the client with a list of database instances using the MC-SQLR protocol and assists in identifying which database instances they are attempting to communicate with.

Attackers can leverage SQL servers by executing scripted requests using a spoofed IP address to make it appear that it is coming from the intended target. The number of existing instances present on the affected SQL server determines the strength or amplification factor of the attack.

Suggested action

CCIRC recommends the following mitigations and work around to affected applications accordingly:

References

MS SQL Reflection DDos Attacks
http://www.stateoftheinternet.com/resources-web-security-threat-advisories-2015-ms-sql-server-reflection-ddos-mc-sqlr.html

SQL Server Browser Service
https://technet.microsoft.com/en-us/library/ms181087%28v=sql.105%29.aspx

Connecting to SQL Server over the Internet
https://msdn.microsoft.com/en-us/library/ms175483.aspx

MS SQL Server Resolution Service enables reflected DDoS with 440x amplification
http://kurtaubuchon.blogspot.ca/2015/01/mc-sqlr-amplification-ms-sql-server.html

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: