One of the cool things about the new ThreatLinQ tool, is we get to see TippingPoint Filters which have been shipping for years, still protecting customers.

Today, I'd like to point out one of those filters in particular.

Filter 1401 - MS-SQL: Login Failure

This filter does not ship enabled by default (generally speaking, login failures are entirely non-malicious), but if configured properly, this filter can be very useful for blocking brute force attacks.

To illustrate how filter 1401 might be used on your network, lets take a look at the graph for this filter taken from ThreatLinQ.  As you can see below there are two major events which occured in the last 2 weeks.  One on August 8th and another on August 14th.  On both occasions we see a small number of attackers attempting to logon several thousand times to a small number of target MSSQL servers on the internet.



By further drilling down into the ThreatLinQ tool, it is obvious that both of these events were caused by a single attacker. And while an occasional MS-SQL login failure may be normal on your network, several thousand originating from a single host is almost certainly not.

Now, I'll be the first to admit that 'Brute force login attacks' are old news.  However, it's important to point out that these attacks still occur all the time, and they are still often successful. 

Thankfully, with the the 'quarantine' feature of the TippingPoint IPS, it is easy to setup a rule which will let the occasional login failures generated by your users pass by, while blocking attackers who generate hundreds of these failures per second.

To do this, here are some rough instructions on how to setup such a rule for this Filter 1401 on a TippingPoint IPS (please consult your documentation on how to do this via a TippingPoint SMS.)  As always, please make sure to test any changes before implementing them in production.

• Start by logging onto the IPS as an administrator.
• Expand the 'IPS' tab on the left nav bar.
• Click 'action sets' -> 'create action set'
• You should now see the 'Create Action Set' Screen.
• Type in the name for this new action set in the 'Action Set Name'
• Now click the 'Block' radio button and Select 'quarantine'
• Scroll down until you set the 'Thresholds' section.
• Choose some values that you would consider an unreasonable number of failed login attempts.  For this example, a value of 60 per minute should be good, but you should tailor these numbers to your environment.
• Now select 'Create'
• Now, we simply need assign filter 1401 to this new action-set we just created.
• Click 'Security Profiles' on the left nav bar.
• Select the security profile you wish to change (the default profile is called 'Default Security Profile'.)
• Select 'Search Filters' and do a search for filter 1401
• Click on Filter 1401 and change the 'Action/State' for the filter to use the action-set you just created
• Click on Apply.

And that's it!  You are now protected against most MS-SQL brute force attacks on your network.  Easy huh?