Blog Post

Azure Database Support Blog
2 MIN READ

Connections rejected by DoSGuard (error 18456 state 113)

Thamires_Lemes's avatar
Mar 22, 2023

A Denial of service (DoS) attack attempts to exhaust an application's resources, making the application unavailable to legitimate users and can be targeted at any endpoint that is publicly reachable through the internet.

 

DoS attacks are reduced by a SQL Database gateway service called DoSGuard.

 

If there are multiple applications connecting to an Azure SQL Database from the same source IP and one of them is misconfigured and causing multiple connections failures due to wrong credentials, DoSGuard will be triggered and block connections from the IP for a pre-defined time period and this will cause the connections from that IP to fail with error 18456 state 113, regardless of the application that is using the IP.

 

DosGuard cannot be disabled.

 

When troubleshooting, we should investigate what is causing the multiple connection failures that are triggering DoSGuard. However, in some cases, there is a need to recover the service fast and it might be useful to avoid DoSGuard rejecting connections from certain IPs.

 

DoSGuard will not be triggered in the following scenarios:

 

  • For public IPs that are explicitly allowed in the firewall.

 

If you are explicitly allowing a public IP in the firewall, it means you trust the connections from that IP. It must be the full IP. Using an IP range to allow the connection will not prevent DoSGuard from blocking an IP within the range.

 

 

  • When using service endpoint, for private IPs that are in subnets for which you created a VNet firewall rule.

 

The private IPs might be able to connect if you have the correct credentials and the exception " Allow Azure services and resources to access this server". However, only by creating an explicit rule for that subnet will prevent DoSGuard from blocking the IP if there are multiple attempts to connect with wrong credentials.

 

 

If you are connecting using a private endpoint, it will not validate firewall rules and you cannot prevent DoSGuard from blocking connections from an IP that attempts to connect multiple times with wrong credentials.

 

References:

https://learn.microsoft.com/en-us/azure/security/fundamentals/infrastructure-sql#dosguard

 

Updated Mar 22, 2023
Version 2.0
No CommentsBe the first to comment