Emerging Threat - Reflection Using SQL Servers

February 10, 2015  |  Garrett Gross

A new, particularly nasty, technique was discovered out in the wild this past December (2014) where the City of Columbia, Missouri came under a DoS (Denial of Service) attack. While many of the attacks were carried out using known techniques (SSDP/NTP amplification, HTTP POST, SYN flood, etc.), one technique seemed to be of a new breed. It turns out, hackers were using a well-known database function to reflect and amplify the data they were sending to their victims.

What makes this so significant is that, traditionally, an attacker would already need control of a large number of machines to successfully carry out a DoS attack. With this reflection/amplification technique, an attacker with far fewer resources under his control can still be as destructive as a conventional DoS. This means that this level of mayhem is now available to bad actors with limited resources.

Also – Its’ not going to be immediately apparent or obvious that your resources are being used in these types of attacks, unless you’re monitoring NetFlow or other tools to identify unusual network activity. Usually, these attacks come to light way too late.

What this means is that bad actors could be using your database servers to amplify their attacks.

This can result in:

  • DoS attacks that can shut down your websites, payment gateways, databases, etc., leaving your users and clients high and dry.
  • Traffic volume-based costs to go through the roof from a single DoS attack.
  • Attackers using your resources to carry out these attacks will rob your environment of resources needed to process web transactions, payments, and database access
  • Attackers using your resources to carry out these attacks will cause your IPs to get flagged by ISPs and blocked
  • If resources under your control are used in these types of attacks, your company could be inadvertently associated with criminal behavior.

USM’s built-in asset discovery allows you to identify exactly where your resources are and make sure you aren’t opening yourself up to this type of attack by exposing your SQL servers to the outside. The AlienVault USM platform also includes behavioral monitoring, leveraging Netflow and service availability analysis, that is very helpful in spotting unusual activity in your environment.

In addition, our AlienVault Labs team has already pushed out Threat Intelligence to help identify when someone is using your SQL servers as a reflection mechanism.

You can get more details on the latest USM threat intelligence updates here.

Share this with others

Featured resources



2024 Futures Report

Get price Free trial