Wednesday, January 21, 2015

MC-SQLR Amplification: MS SQL Server Resolution Service enables reflected DDoS with 440x amplification

Summary

The MS SQL Server Resolution Service allows a client to interrogate a server hosting a SQL Server installation and to receive back detailed information about the SQL Server instances available on the server.  The client sends a one-byte request to the server, and the server responds with a variable-length message containing instance names, versions, and other connection details. 

This service can be exploited to conduct reflected DDoS attacks.  Because the client request is very small and the server response is potentially large, an attacker can gain significant amplification.  A large number of MS SQL Servers are internet-facing, providing ample reflection surfaces for attackers.

This technique was observed in the wild in December 2014, when it was employed as part of a DDoS attack against the website of the City of Columbia, Missouri.  In this incident, the technique resulted in an average incoming response of approximately 440 bytes.  Assuming a one-byte request size per response, the attack yielded an amplification factor of 440x.

Details

Beginning at about 11:00 PM on Christmas Eve 2014, the website of the City of Columbia, Missouri was hit by a DDoS attack.  Over the course of the next 24 hours, the attacker, going by the handle Bitcoin Baron, used a number of the attack techniques we've all grown accustomed to seeing: NTP amplification, SSDP amplification, and a good old fashioned SYN Flood.  One of the attack techniques hurled at the city, though, was a little out of the ordinary.