HIGH: Open MS-SQL Server Resolution Service Report

DESCRIPTION LAST UPDATED: 2023-12-16

DEFAULT SEVERITY LEVEL: HIGH

This report identifies hosts that have the MS-SQL Server Resolution Service running and accessible on the Internet.

These services have the potential to expose information about a client’s network on which this service is accessible and the service itself can be used in UDP amplification attacks.

You can track MS-SQL Server Resolution Service exposure on our Dashboard.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

Filename(s): scan_mssql

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the MS-SQL response came on (usually UDP)
  • port
    Port that the MS-SQL response came from (usually 1434)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Will always be mssql
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • server_name
    The ServerName field in the response — this is usually the NetBIOS name of the server
  • instance_name
    The InstanceName field in the response — this is the name of the SQL instance on the server
  • version
    Version number of the running MS-SQL / SQLExpress service
  • tcp_port
    The TCP port that you would use to connect to the MS-SQL instance
  • named_pipe
    The named pipe that the SQL server is advertising
  • response_length
    Length of the response from the MS-SQL Server Resolution Service (including packet headers)
  • amplification
    Amplification factor (This amplification is is based solely on the payload size sent and payload size received)
  • sector
    Sector of the IP

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","version","asn","geo","region","city","naics","hostname_source","server_name","instance_name","tcp_port","named_pipe","response_size","amplification","sector"
"2010-02-10 00:00:00",high,192.168.0.1,udp,1434,node01.example.com,mssql,14.0.1000.169,64512,ZZ,Region,City,0,ptr,EC2AMAZ-5EQ7HP5,DESA_BD,8391,,432,432.00,"Retail Trade"
"2010-02-10 00:00:01",high,192.168.0.2,udp,1434,node02.example.com,mssql,11.0.5058.0,64512,ZZ,Region,City,0,ptr,VMI928477,SQLEXPRESS,1433,"\\\\VMI928477\\pipe\\MSSQL$SQLEXPRESS\\sql\\query",324,324.00,
"2010-02-10 00:00:02",high,192.168.0.3,udp,1434,node03.example.com,mssql,11.0.2100.60,64512,ZZ,Region,City,0,ptr,WIN-TBLMEED2MVS,VINNS,1433,"\\\\WIN-TBLMEED2MVS\\pipe\\MSSQL$VINNS\\sql\\query",330,330.00,"Retail Trade"

Our 131 Report Types