Internet Accessible Microsoft SQL Server Resolution Service

Description

The Microsoft SQL Server Resolution Service (MC-SQLR), referred to in Microsoft Corporation documentation as the Microsoft SQL Browser Service, is a simple application level protocol that runs as a Microsoft Windows Service, used to query information regarding SQL database instances on one or more SQL Servers.

MC-SQLR listens on port 1434/UDP.

Problem

An Internet Accessible Microsoft SQL Server Resolution Service may be abused for a Distributed Denial-of-Service (DDoS) Reflection/Amplification attack against third parties.

Furthermore, an Internet Accessible MC-SQLR Service will allow a malicious actor, through MC-SQLR enumeration, the potential to identify the SQL Server name and the SQL Service name.

The MC-SQLR service has a Bandwidth Amplification Factor (BAF) of between 1 and 25.

MC-SQLR

Prior to Microsoft SQL Server 2000, only one instance of SQL Server could be installed on a computer. SQL Server listened for incoming requests on port 1433, assigned to SQL Server by the official Internet Assigned Numbers Authority (IANA). Only one instance of an SQL Server can use a port. When SQL Server 2000 introduced support for multiple instances of SQL Server, SQL Server Resolution Protocol (SSRP) was developed to listen on port 1434/UDP. This listener service responded to client requests with the names of the installed instances, and the ports or named pipes used by the instance. An instance of an SQL Server, can support 32,767 databases. MC-SQLR was introduced with Microsoft SQL Server 2005 as a replacement for SSRP due to certain limitations.

When an instance of Microsoft SQL Server starts, if the TCP/IP or Virtual Interface Adapter (VIA) protocols are activated, a TCP/IP port is assigned. If the named pipes' protocol is enabled, Microsoft SQL Server listens on a specific named pipe. This port or pipe is used by that specific instance to exchange data with the client applications.

During installation, port 1433 and pipe SQL query are assigned to the default instance. Because only one instance of Microsoft SQL Server can use a port or pipe, different port numbers and pipe names are assigned for named instances.

By default, named instances are configured to use dynamic ports, so an available port is assigned when Microsoft SQL Server starts. When connecting, the client can specified the desired port. However, if the port is dynamically assigned, the port number can change any time Microsoft SQL Server is restarted, so the correct port number becomes unknown to the client.

On startup, MC-SQLR starts and claims port 1434/UDP. MC-SQLR reads the registry, identifies all Microsoft SQL Server instances on the computer, and notes the ports and named pipes that they use.

MC-SQLR allows a client to identify the database with which they are attempting to communicate with, when connecting to a database server or cluster with multiple database instances. Each time a client needs to obtain information on configured MS SQL servers on the network, MC-SQLR can be used. The SQL Server responds to the client with a list of instances.

A malicious actor seeking to exploit a SQL Server in a DDoS Reflection/Amplification attack, will send a scripted MC-SQLR request to the SQL server, the response from the SQL Server, is reflected as attack traffic towards a victim, through the use of IP Spoofing. The payload of the attack traffic sent to the IP address of the victim depends upon the number of instances present in the SQL Server being exploited.

Verification

To establish if a host has an Internet accessible service, simple utility programs or tools included with the standard Linux/Ubuntu distribution can be utilised. The test should not be run on the host itself or from the local network, instead it should be run from a different node on the Internet.

Nmap - (Network Mapper) - (https://nmap.org)

To confirm an Internet accessible MC-SQLR service, the 'Nmap' open source network scanner utility program can be utilised.

Nmap is used to discover hosts and services on a computer network by sending packets and analysing the responses.

Insert the IP address of the host you wish to check for an Internet accessible MC-SQLR service when invoking the 'Nmap' open source network scanner utility program together with the options as included in the following example.

$ nmap -Pn -sV -sU -p U:1434 xxx.xxx.xxx.xxx

An Internet accessible MC-SQLR service will return information similar to that as shown below:

$ nmap -Pn -sV -sU -p U:1434 xxx.xxx.xxx.xxx
Starting Nmap 7.01 ( https://nmap.org ) at 2021-03-24 16:54 GMT
Nmap scan report for www.xxxxxxxxx.ie (xxx.xxx.xxx.xxx)
Host is up.
PORT     STATE SERVICE  VERSION
1434/udp open  ms-sql-m Microsoft SQL Server 11.0.2100.60 (ServerName: WIN-QQ5JFCNML666)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

		
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.96 seconds

Options
-Pn  	:Treat all hosts as online --skip host discovery.
-sV	:Probe open ports to determine service/version info.
-sU  	:UDP Scan.
-p	:Only scan specified ports.
 U:	:Port 1434/UDP on IP address xxx.xxx.xxx.xxx.

Solution

If the MC-SQLR service is not required, disable it to prevent it from being abused.

If the MC-SQLR service is required, restrict access to trusted clients or specific IP addresses.

For security reasons, consideration should be given to blocking access to port 1434/UDP on the firewall.

Supplementary Information

Ingress & Egress Filtering

Ingress filtering - is a simple and effective method to limit the impact of DoS attacks, by denying traffic with a forged IP source address (IP spoofing) access to the network, and to help ensure that traffic is traceable to its correct network.
Egress filtering - limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations, by preventing traffic with a forged source (spoofed) IP address from leaving the network.

The implementation of best practice in relation to Ingress filtering limits the impact of a Denial of Service (DoS) attack on one's own network while the implementation of best practice in relation to Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations. Additional information on Ingress & Egress Filtering can be found at the following link - Ingress & Engress Filtering

UDP Based Denial-of-Service (DoS) Attack

The User Datagram Protocol (UDP), a generic carrier for several higher-level protocols, has a number of properties that makes it susceptible to exploitation for DoS attacks against third parties. Additional information on the components and techniques deployed in an UDP based DoS attack can be found at the following link - UDP Based Denial-of-Service (DoS) Attack

Additional Information

Microsoft - Connecting to SQL Server over the Internet
Microsoft - SQL Server Browser Service
Microsoft SQL Server Resolution Protocol
Microsoft Security Best Practices to Protect Internet Facing Web Servers.
Networking Howtos - What is the Microsoft SQL Browser Service?
Microsoft - SQL Server Browser Service
Microsoft - SQL Server Browser Service (Database Engine and SSAS)
Akamai's - Security Bulletin: MS SQL Reflection DDoS.