cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Connections rejected by DoSGuard (error 18456 state 113)
By
Thamires_Lemes
Published Mar 22 2023 08:31 AM 2,397 Views
Thamires_Lemes
Microsoft
‎Mar 22 2023 08:31 AM

Connections rejected by DoSGuard (error 18456 state 113)

‎Mar 22 2023 08:31 AM

A Denial of service (DoS) attack attempts to exhaust an application's resources, making the application unavailable to legitimate users and can be targeted at any endpoint that is publicly reachable through the internet.

 

DoS attacks are reduced by a SQL Database gateway service called DoSGuard.

 

If there are multiple applications connecting to an Azure SQL Database from the same source IP and one of them is misconfigured and causing multiple connections failures due to wrong credentials, DoSGuard will be triggered and block connections from the IP for a pre-defined time period and this will cause the connections from that IP to fail with error 18456 state 113, regardless of the application that is using the IP.

 

DosGuard cannot be disabled.

 

When troubleshooting, we should investigate what is causing the multiple connection failures that are triggering DoSGuard. However, in some cases, there is a need to recover the service fast and it might be useful to avoid DoSGuard rejecting connections from certain IPs.

 

DoSGuard will not be triggered in the following scenarios:

 

  • For public IPs that are explicitly allowed in the firewall.

 

If you are explicitly allowing a public IP in the firewall, it means you trust the connections from that IP. It must be the full IP. Using an IP range to allow the connection will not prevent DoSGuard from blocking an IP within the range.

 

Thamires_Lemes_1-1679499212878.png

 

  • When using service endpoint, for private IPs that are in subnets for which you created a VNet firewall rule.

 

The private IPs might be able to connect if you have the correct credentials and the exception " Allow Azure services and resources to access this server". However, only by creating an explicit rule for that subnet will prevent DoSGuard from blocking the IP if there are multiple attempts to connect with wrong credentials.

 

Thamires_Lemes_2-1679499249742.png

 

If you are connecting using a private endpoint, it will not validate firewall rules and you cannot prevent DoSGuard from blocking connections from an IP that attempts to connect multiple times with wrong credentials.

 

References:

https://learn.microsoft.com/en-us/azure/security/fundamentals/infrastructure-sql#dosguard

 

0 Likes
Like
Co-Authors
Version history
Last update:
‎Mar 22 2023 08:35 AM
Updated by: