Internet Accessible Microsoft SQL Server Resolution Service

Description

The Microsoft SQL (MS-SQL) Server Resolution Service, referred to in Microsoft Corporation documentation as the Microsoft SQL Browser Service, is a simple application level protocol that runs as a Microsoft Windows Service, used to query information regarding MS-SQL database instances on one or more MS-SQL Servers.

The MS-SQL Server Resolution Service listens on port 1434/UDP.

The MS-SQL Server listens on port 1433/UDP.

Problem

An Internet Accessible MS-SQL Server Resolution Service may be abused for a Distributed Denial-of-Service (DDoS) Reflection/Amplification attack against third parties.

In addition, an Internet Accessible MS-SQL Server Resolution Service will allow a threat actor,  through MS-SQL enumeration, the potential to identify the MS-SQL Server name and the MS-SQL Service name.

The MS-SQL Server Resolution Service has a Bandwidth Amplification Factor (BAF) of between 1:1 and 25:1.  The payload of the attack traffic sent to the IP address of the victim depends upon the number of instances present in the MS-SQL Server being exploited.

Note:  On the 21st Feb 2022, the South Korean cybersecurity company,  AhnLab Security Emergency Response Center (ASEC) reported that Internet Accessible MS-SQL Servers,  that have not been patched, are being targeted by threat actors as part of a campaign to deploy the Cobalt Strike adversary simulation tool "Beacon".  ASEC also reported they had observed the scanning of port 1433/UDP of Internet Accessible MS-SQL servers by unidentified threat actors that performed brute force or dictionary attacks against the System Administrators Account in an attempt to login.

The MS-SQL Server Resolution Service

Prior to MS-SQL Server 2000, only one instance of MS-SQL Server could be installed on a computer.  The MS-SQL Server listened for incoming requests on port 1433/UDP, assigned to the MS-SQL Server by the official Internet Assigned Numbers Authority (IANA).  Only one instance of an MS-SQL Server can use a port.  When MS-SQL Server 2000 introduced support for multiple instances of MS-SQL Server, the MS-SQL Server Resolution Protocol (SSRP) was developed to listen on port 1434/UDP.  This listener service responded to client requests with the names of the installed instances, and the ports or named pipes used by the instance.   An instance of a MS-SQL Server, can support 32,767 databases.  The MS-SQL Server Resolution Service was introduced with MS-SQL Server 2005 as a replacement for SSRP due to certain limitations.

When an instance of MS-SQL Server starts, if the TCP/IP or Virtual Interface Adapter (VIA) protocols are activated, a TCP/IP port is assigned.  If the named pipes' protocol is enabled, the MS-SQL Server listens on a specific named pipe.  This port or pipe is used by that specific instance to exchange data with the client applications.

During installation, port 1433/UDP and pipe MS-SQL query are assigned to the default instance.   Because only one instance of MS-SQL Server can use a port or pipe, different port numbers and pipe names are assigned for named instances.

By default, named instances are configured to use dynamic ports, so an available port is assigned when the MS-SQL Server starts.  When connecting, the client can specified the desired port.  However, if the port is dynamically assigned, the port number can change any time MS-SQL Server is restarted, so the correct port number becomes unknown to the client.

On startup, the MS-SQL Resolution Service starts and claims port 1434/UDP.  The MS-SQL Resolution Service will then read the registry, to identify all MS-SQL Server instances on the computer, and notes the ports and named pipes that they use.

The MS-SQL Resolution Service allows a client to identify the database with which they are attempting to communicate with, when connecting to a database server or cluster with multiple database instances.   Each time a client needs to obtain information on configured MS-SQL servers on the network,  the MS-SQL Resolution Service can be used.  The SQL Server responds to the client with a list of instances.

A threat actor seeking to exploit a MS-SQL server in a DDoS Reflection/Amplification attack, will send a scripted MS-SQL Server Resolution Service request to the MS-SQL server, the response from the MS-SQL server, is reflected as attack traffic towards a victim, through the use of IP Spoofing.  The payload of the attack traffic sent to the IP address of the victim depends upon the number of instances present in the MS-SQL server being exploited.

Verification

To establish if a host has an Internet Accessible Service, simple utility programs or tools included with the standard Linux/Ubuntu distribution can be utilised.  The test should not be run on the host itself or from the local network, instead it should be run from a different node on the Internet.

Nmap - (Network Mapper) - (https://nmap.org)

To confirm an Internet Accessible MS-SQL Server Resolution Service, the 'Nmap' open source network scanner utility program can be utilised.

Nmap is used to discover hosts and services on a computer network by sending packets and analysing the responses.

Insert the IP address of the host you wish to check for an Internet Accessible MS-SQL Server Resolution Service when invoking the 'Nmap' open source network scanner utility program together with the options as included in the following example.

$ nmap -Pn -sV -sU -p U:1434 xxx.xxx.xxx.xxx

An Internet Accessible MS-SQL Server Resolution Service will return information similar to that as shown below:

$ nmap -Pn -sV -sU -p U:1434 xxx.xxx.xxx.xxx
Starting Nmap 7.01 ( https://nmap.org ) at 2021-03-24 16:54 GMT
Nmap scan report for www.xxxxxxxxx.ie (xxx.xxx.xxx.xxx)
Host is up.
PORT     STATE SERVICE  VERSION
1434/udp open  ms-sql-m Microsoft SQL Server 11.0.2100.60 (ServerName: WIN-QQ5JFCNML666)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

		
Service detection performed. Please report any incorrect results at https://nmap.org/submit/.

		
Nmap done: 1 IP address (1 host up) scanned in 2.96 seconds

		

		
Options

		
-Pn   :Treat all hosts as online --skip host discovery.

		
-sV   :Probe open ports to determine service/version info.

		
-sU   :UDP Scan.

		
-p    :Only scan specified ports.

		
 U:   :Port 1434/UDP on IP address xxx.xxx.xxx.xxx.

						
		
Solution

		
If the MS-SQL Server Resolution Service is not required, disable it to prevent it from being abused.

		
If the MS-SQL Server Resolution Service is required, restrict access to trusted clients or specific IP addresses 
		 on the perimeter firewall.

		
For security reasons, consideration should be given to blocking access to port 1433/UDP and 1434/UDP on the firewall.

		
Note:  In view of the report released on the 21st Feb 2022, from AhnLab Security Emergency Response 
		 Center (ASEC),  of Cobalt Strike being distributed to vulnerable MS-SQL servers, constituents are advised to 
		 apply all patch and software updates to Internet Accessible MS-SQL servers.

		 
        
Supplementary Information

		
		
	
		
Ingress & Egress Filtering
   
		
		

		

		Filter
		Description
		

		

		Ingress Filtering
		Ingress filtering is a simple and effective method to limit the impact of DoS attacks,  
		 by denying traffic with a forged IP source address (IP spoofing) access to the network,  
		 and to help ensure that traffic is traceable to its correct network.
		

		

		Egress Filtering
		Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) 
		 attack on networks of other organisations, by preventing traffic with a forged source (spoofed) 
		 IP address from leaving the network.  Port used for remote syslog capture
		

		

		

		
		
The implementation of best practice in relation to Ingress filtering limits the impact of a Denial
		 of Service (DoS) attack on one's own network while the implementation of best practice in relation to
		 Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on
		 networks of other organisations.  Additional information on Ingress & Egress Filtering can 
		 be found at the following link - 
		Ingress & Engress Filtering

		
		
UDP Based Denial-of-Service (DoS) Attack

		
The User Datagram Protocol (UDP), a generic carrier for several higher-level protocols, has a
		 number of properties that makes it susceptible to exploitation for DoS attacks against third parties.  
		 Additional information on the components and techniques deployed in an UDP based DoS attack can be found
		 at the following link -   
		UDP Based Denial-of-Service (DoS) Attack

			
		
Additional Information

		Microsoft - Connecting to SQL Server over the Internet

		Microsoft - SQL Server Browser Service

		Microsoft SQL Server Resolution Protocol

		Shadowserver - Open MS-SQL Server Resolution Service Report

		Microsoft Security Best Practices to Protect Internet Facing Web Servers.

		Networking Howtos - What is the Microsoft SQL Browser Service?

		Microsoft - SQL Server Browser Service

		Microsoft - SQL Server Browser Service (Database Engine and SSAS)

		Akamai's - Security Bulletin: MS SQL Reflection DDoS.

		The Hacker News - Hackers Backdoor Unpatched Microsoft SQL Database Servers with Cobalt State
		
		AhnLab Security Emergency Response Center - Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers