Why is China all up in my SQL server? presented at bsideslasvegas 2017

by Andrew Brandt,

Summary : Starting early in 2017, the honeypots I run in my lab began to receive a strangely large volume of inbound SQL connections from all over Asia, but mainly from China. Fortunately, I am recording the traffic of virtually everything that hits my dirty network, and discovered that the attacks appear to be automated, run at high volumes, and engage in a sophisticated and complex attempt to break into Microsoft SQL Server. In this presentation, I will provide a full walkthrough of the attack, detailing the methods in use and countermeasures you can employ to protect your server. I'll also provide historical and reputational context about the attackers' originating IP addresses and the other dirty stuff coming from those addresses. And let me tell you, it's pretty dirty.