

MS SQL Server Resolution Service enables reflected DDoS with 440x amplification - jessaustin
http://kurtaubuchon.blogspot.com/2015/01/mc-sqlr-amplification-ms-sql-server.html

======
malux85
I'm genuinely curious -

What are the reasons for exposing an SQL server directly to the internet?
Obviously there's a bunch of people who have mis-configured and have
accidently exposed their systems, but are there real-world reasons to expose a
SQL server directly to the net?

I would think most people who are sharing datasets would do so with some sort
of API - and there'd need to be room for rate limiting / blacklisting IPs and
so on. I would never expose a SQL server directly to the net, and I'm really
curious if there are reasons to do so?

~~~
Someone1234
In a word "laziness."

It is just easier to log in and manage an SQL server if it is available on the
internet. I know I'm certainly guilty of doing so for short periods when I'm
off-site with no VPN and need to manage a server.

Some sysadmins just get lazy and leave it available on the internet with
strong passwords 24/7, just so once in a blue moon they can log in and manage
it. Or are doing some kind of site to site data migration and are tired of the
VPN connection dropping.

I've done a site to site SQL migration across two Azure zones because doing it
the "right" way was too complicated/time consuming/expensive. However once the
data was copied across I changed the End Point config to protect the SQL
server again.

I won't make excuses, it is just laziness/expedient. But that is human nature
for you...

~~~
ams6110
It really is simple to use ssh to tunnel a port; that is always how I access
SQL Server remotely. Laziness indeed.

~~~
Someone1234
You use SSH port tunnelling on a Windows Server to access MS SQL? I'd be
surprised if that was "simple." But go ahead and explain it.

~~~
glenk
We do here where I work. We're running Bitvise SSH server on Server R2/2012
and you can use bitvise tunnelier or putty as the client(maybe others, just
have used those two myself) and then connect via management studio once the
SSH tunnel is connected. We also require both key and password auth. We also
do RDP over the SSH connection as you can't remote to those machines directly.

~~~
Someone1234
I'm not sure if $200 in third party software counts as easy. In particular
when you could be using RRAS instead, which is built in.

~~~
glenk
Bitvise server is $100, but now you want both simple and free? It's well worth
the $100 IMO as it's pretty easy to setup and manage accounts and keys. You
only said "simple" before, and I consider it pretty simple to get up and
running. I didn't pay for it, but $100 one time is pretty negligible for what
we use it for.

------
BoppreH
Isn't the 440 figure disingenuous? Surely you must count UDP/TCP header size,
which would bring the value closer to 21/461 ~= 22.

Still an interesting discovery. DDoS amplification is a security risk few
people consider when developing applications.

~~~
mjevans
Agreed. As I see it there are two main design methods for overcoming this
issue.

The first is better for 'anonymous' services; require the client to send a
packet of the same size as the buffer they want to receive. It's network in-
efficient but for small requests better than the delay in setting up an actual
session. It eliminates the chance of amplification attacks.

The second is to establish /some/ kind of session. This might be as 'simple'
as logging in, or it could just involve a few round trip communications that
indicate the client /is/ listening to server replies. That eliminates every
DDoS style except for a man in the middle capable amplification vectors; yet
if MitM is possible then why bother with DDoS.

~~~
chpp
I guess we are throwing UDP out the windows all together now? ;)

------
Lendal
Isn't this service disabled by default? I've never needed to enable it and I
install new SQL Server instances just about every week. It's my understanding
that nobody really _needs_ a live list of all SQL Server instances on a server
to be made available on the network, nevermind the Internet at large.

This is one of those legacy services that Microsoft keeps around just in case
somebody wants it but it's been a long time since it had any changes or
updates. What they really need to do is have it not even included with the
product. It should be a download-only utility, for those that really, really
want this on their systems.

