Solved

SQLSERVER Port attacks

Posted on 2003-11-05
8
3,059 Views
Last Modified: 2013-12-04
I'm using TCPView to monitor network activity on my server (Windows Server 2000, AD, Domain controller, webserver, MSSQLServer, eEye Firewall).

Server is fully patched.

For the last 24+ hours the following activity is occuring (I've X'd out my IP):

sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:48411      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:48306      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:47590      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:47432      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:47334      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:47231      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:47131      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:47036      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:46942      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:46848      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:46753      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:46665      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:45961      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:45856      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:45767      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:45678      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:45586      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:45497      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:45412      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:45330      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:44630      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:44522      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:44439      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:44341      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:44227      TIME_WAIT      

etc.

I think someone is attacking the port being used by MSSQL.

Questions:

What is happening exactly?
How do I make it stop?
How do I prevent this IP from attacking in the future?
What does "TIME_WAIT" mean?

What I've done so far:

Tried using the disconnect function in TCPView - didn't work.
Blocked that IP in ISS - didn't work.



0
Comment
Question by:TMDX
  • 4
  • 3
8 Comments
 
LVL 8

Assisted Solution

by:ViRoy
ViRoy earned 100 total points
ID: 9688604

looks like a denial of service attack (DOS)
we can see he is trying to establish multiple connections at the same time.
if he were to suceed, he would eat all available connections of your SQL server which means no-one else would be able to establish new connections.

do you have a firewall? if so, ban him
if not i would reccomend taking preventative steps such as using a intrusion detection system (IDS).
an IDS can be configured on this server or on a stand-alone, and the IDS can be configured logically to temporarily ban someone (such as the person hitting you) after repeatedly failing or spamming.
pretty sweet... heres a free one that i would reccomend - www.snort.org
0
 
LVL 8

Expert Comment

by:ViRoy
ID: 9688657

wow i checked the IP address out and it looks to be reserved by an JAPANESE ISP!
not good there, it would be very diffucult to hold an over-sea's party accountable.

i would maybe elevate the priority level a bit on this one :<
0
 

Author Comment

by:TMDX
ID: 9689516
Hi, thanks for the reply. I downloaded snort, but wasn't able to get it to work. (missing one file, go and find it, then misisng another and so on).

I do have a firewall. I'm using eEye Digital Security Secure IIS firewall, which doesn't seem to support IP blocking. (Considering that it cost something like $8000 you'd think it would ???) I've sent a tech request to them today to see if it can be done. In the meantime I am blocking that IP within IIS, however this hasn't affected the activity copied above. As of right now this activity is still occuring.

I'll bump up the points on this and spread them around as appropiate.

Thanks for the help so far.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 

Author Comment

by:TMDX
ID: 9689522
*points bump*
0
 

Author Comment

by:TMDX
ID: 9690063
I've recieved a reply from eEye:

--------------------

"SecureIIS is an application firewall, specifically designed to protect IIS against known and unknown attacks.  As such, it will not protect your MSSQL install, not does it use a port blocking configuration as standard firewalls do.  SecureIIS functions as an ISAPI filter within the IIS space, so it can intercept requests, analyze them, and block them if any part of the request is deemed invalid.

Regarding the issue reported, you will need to use a perimeter, or even a personal firewall to block the respective port being used in the dos attack.

I hope this helps.

Thank you

Signed,
eEye Digital Security Support"

----------------

Any suggestions?
0
 
LVL 13

Accepted Solution

by:
Gnart earned 400 total points
ID: 9690505
SQL-Slammer worm is attacking your machine on port 1433 and 1434...... see here:

http://www.cert.org/advisories/CA-2003-04.html

Modify your router or firewall to drop TCP/UDP on those ports..... problem solved.

cheers
0
 

Author Comment

by:TMDX
ID: 9694544
All, thanks for the help.

I applied SP3 to MSSQL and it fixed the problem.

the strange part -- I had already applied SP3 to MSSQL in January 2003. Weird.
0
 
LVL 8

Expert Comment

by:ViRoy
ID: 9694850
glad to hear!

sorry snort didnt work for ya.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question