Solved

Too many TIME_WAIT connections.

Posted on 2004-08-07
5
1,944 Views
Last Modified: 2010-05-18
Hello Experts,

         I am looking after win 2000 server with MS SQl 2000 DB. Recently all of  a sudden bandwidth utilization of server skyrocketed. Upon running TCPview i got below given result,

sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:7322      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:15189      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:15359      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:15525      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:16931      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:18317      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:18480      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:18651      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:20393      TIME_WAIT
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      162.69-93-76.reverse.theplanet.com:49885      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      162.69-93-76.reverse.theplanet.com:49756      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.center7.com:ms-sql-s      162.69-93-76.reverse.theplanet.com:49581      TIME_WAIT      


This is just few lines of the result.there are hundreds of entries like these. I know that getting  TIME_WAIT is quite normal and usaually these connections get dropped after some time but I have been getting these results for more than a week now.At first i thought this was slammer worm, but i have service pack 3 of sql installed  ,so i belive it makes me immune to this worm.Just to be sure i checked with symantec slammer fix tool but did not find anything.Can somebody help me with this.

Thanks in Advance
0
Comment
Question by:anilmane
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 15

Expert Comment

by:jdlambert1
ID: 11742533
I suspect you have some virus/worm/trojan other than Slammer. All those port numbers from algx.net definitely looks like port scanning, and it doesn't appear to be a conventional web site. theplanet.com is a web hosting site, and the traffic from reverse.theplanet.com may mean that their server has gotten a lot of traffic from your server, and they're trying to do a reverse lookup on your IP address.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 11742541
Well, my idea that reverse.theplanet.com is doing reverse lookups is a dumb idea, I was thinking of firewall logs that look like that, not SQL Server connections.

If this database is behind a web server, it may be the target of one or more attacks (or efforts to probe for weaknesses), rather than having a virus/worm/trojan on your server.
0
 
LVL 2

Author Comment

by:anilmane
ID: 11742551
Thanks for the quick reply,

        Yes, i think its some kind of worm but i have scanned this server with symantec and some other online scan but to no avail. algx.net and theplanet.com are not only sites for which i am getting this there are also hundreds of connections from jaazsoftware.com which is also not valid site.Is there any way i can stop this.

0
 
LVL 15

Accepted Solution

by:
jdlambert1 earned 250 total points
ID: 11742680
If it were a distributed-denial-of-service attack, I'd expect a whole lot more than hundreds of connections. Nevertheless, with all those port numbers being probed on your SQL Server, it appears that your firewall isn't properly configured. How it should be configured depends on how you're using SQL Server: is it serving a web server, corporate services, or both? Do connections need to be made to it from outside your network?
0
 
LVL 9

Expert Comment

by:crescendo
ID: 11743085
Why is your server accepting connections from the Internet? You need a firewall - and quick!

If you have a router that you manage, get it to deny all ports except the ones you need to leave open. If it's a webserver, that will usually just be port 80 and possibly 443. There's normally bo need for any of the SQL to be exposed to the Internet.

If you don't have a router that you can manage, at least use some of the filtering in the network connection's TCP/IP properties.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Why is this different from all of the other step by step guides?  Because I make a living as a DBA and not as a writer and I lived through this experience. Defining the name: When I talk to people they say different names on this subject stuff l…
In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Using examples as well as descriptions, and references to Books Online, show the documentation available for datatypes, explain the available data types and show how data can be passed into and out of variables.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question