What is it?
MS-SQL Server Resolution Service (MC-SQLR) facilitates connections over the Internet to MS SQL database servers.
Why is it a risk?
A Denial of Service attack (DoS) is when an attacker attempts to overwhelm a victim’s server.
A Distributed Denial of Service (DDoS) attack is when the attacker uses many unwitting accomplice computers to attack their victim. By orchestrating the actions of many computers, it is easier for the attacker to overwhelm their victim.
A Reflective Distributed Denial of Service attack (RDDoS) is when an attacker orchestrates the legitimate services of many unwitting accomplices to overwhelm their victim. Here, the attacker poses as the victim and sends legitimate report requests to the accomplices – thereby overwhelming the victim’s computer with the responses. It is difficult to determine the actual source of an RDDoS attack.
If the attacker can send a small command to the accomplices resulting in a large amount of traffic being sent to their victim, this called “amplification.” Amplication is valuable to the attacker because they need fewer accomplices to overwhelm the victim. LDAP can be abused by attackers in this way because there are many (small) LDAP commands that generate large reports.
MS-SQL Server Resolution Service can be used in such a way when it is publicly accessible on the Internet.
The article from the National Cyber Security Coordination and Development Centre (NCC-IE), “Internet Accessible Microsoft SQL Server Resolution Service” (link below) provides a very detailed explanation of how the service works, the vulnerabilities, how to monitor and how to resolve issues.
How can you mitigate the risk?
If the MS-SQL Server Resolution Service is not required, disable it to prevent it from being abused.
If the MS-SQL Server Resolution Service is required, restrict access to trusted clients or specific IP addresses on the perimeter firewall.
For security reasons, consideration should be given to blocking access to port 1433/UDP and 1434/UDP on the firewall
Resources:
NCC-IE: Internet Accessible Microsoft SQL Server Resolution Service
https://www.ncsc.gov.ie/emailsfrom/Shadowserver/DoS/MS-SQL/
