Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Too many TIME_WAIT connections.

Posted on 2004-08-07
Medium Priority
Last Modified: 2010-05-18
Hello Experts,

         I am looking after win 2000 server with MS SQl 2000 DB. Recently all of  a sudden bandwidth utilization of server skyrocketed. Upon running TCPview i got below given result,

sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:7322      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:15189      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:15359      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:15525      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:16931      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:18317      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:18480      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:18651      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:20393      TIME_WAIT
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      162.69-93-76.reverse.theplanet.com:49885      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      162.69-93-76.reverse.theplanet.com:49756      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.center7.com:ms-sql-s      162.69-93-76.reverse.theplanet.com:49581      TIME_WAIT      

This is just few lines of the result.there are hundreds of entries like these. I know that getting  TIME_WAIT is quite normal and usaually these connections get dropped after some time but I have been getting these results for more than a week now.At first i thought this was slammer worm, but i have service pack 3 of sql installed  ,so i belive it makes me immune to this worm.Just to be sure i checked with symantec slammer fix tool but did not find anything.Can somebody help me with this.

Thanks in Advance
Question by:anilmane
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 15

Expert Comment

ID: 11742533
I suspect you have some virus/worm/trojan other than Slammer. All those port numbers from algx.net definitely looks like port scanning, and it doesn't appear to be a conventional web site. theplanet.com is a web hosting site, and the traffic from reverse.theplanet.com may mean that their server has gotten a lot of traffic from your server, and they're trying to do a reverse lookup on your IP address.
LVL 15

Expert Comment

ID: 11742541
Well, my idea that reverse.theplanet.com is doing reverse lookups is a dumb idea, I was thinking of firewall logs that look like that, not SQL Server connections.

If this database is behind a web server, it may be the target of one or more attacks (or efforts to probe for weaknesses), rather than having a virus/worm/trojan on your server.

Author Comment

ID: 11742551
Thanks for the quick reply,

        Yes, i think its some kind of worm but i have scanned this server with symantec and some other online scan but to no avail. algx.net and theplanet.com are not only sites for which i am getting this there are also hundreds of connections from jaazsoftware.com which is also not valid site.Is there any way i can stop this.

LVL 15

Accepted Solution

jdlambert1 earned 750 total points
ID: 11742680
If it were a distributed-denial-of-service attack, I'd expect a whole lot more than hundreds of connections. Nevertheless, with all those port numbers being probed on your SQL Server, it appears that your firewall isn't properly configured. How it should be configured depends on how you're using SQL Server: is it serving a web server, corporate services, or both? Do connections need to be made to it from outside your network?

Expert Comment

ID: 11743085
Why is your server accepting connections from the Internet? You need a firewall - and quick!

If you have a router that you manage, get it to deny all ports except the ones you need to leave open. If it's a webserver, that will usually just be port 80 and possibly 443. There's normally bo need for any of the SQL to be exposed to the Internet.

If you don't have a router that you can manage, at least use some of the filtering in the network connection's TCP/IP properties.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
This article shows gives you an overview on SQL Server 2016 row level security. You will also get to know the usages of row-level-security and how it works
Via a live example, show how to shrink a transaction log file down to a reasonable size.
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question