Solved

Too many TIME_WAIT connections.

Posted on 2004-08-07
5
1,920 Views
Last Modified: 2010-05-18
Hello Experts,

         I am looking after win 2000 server with MS SQl 2000 DB. Recently all of  a sudden bandwidth utilization of server skyrocketed. Upon running TCPview i got below given result,

sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:7322      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:15189      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:15359      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:15525      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:16931      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:18317      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:18480      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:18651      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:20393      TIME_WAIT
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      162.69-93-76.reverse.theplanet.com:49885      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      162.69-93-76.reverse.theplanet.com:49756      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.center7.com:ms-sql-s      162.69-93-76.reverse.theplanet.com:49581      TIME_WAIT      


This is just few lines of the result.there are hundreds of entries like these. I know that getting  TIME_WAIT is quite normal and usaually these connections get dropped after some time but I have been getting these results for more than a week now.At first i thought this was slammer worm, but i have service pack 3 of sql installed  ,so i belive it makes me immune to this worm.Just to be sure i checked with symantec slammer fix tool but did not find anything.Can somebody help me with this.

Thanks in Advance
0
Comment
Question by:anilmane
  • 3
5 Comments
 
LVL 15

Expert Comment

by:jdlambert1
ID: 11742533
I suspect you have some virus/worm/trojan other than Slammer. All those port numbers from algx.net definitely looks like port scanning, and it doesn't appear to be a conventional web site. theplanet.com is a web hosting site, and the traffic from reverse.theplanet.com may mean that their server has gotten a lot of traffic from your server, and they're trying to do a reverse lookup on your IP address.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 11742541
Well, my idea that reverse.theplanet.com is doing reverse lookups is a dumb idea, I was thinking of firewall logs that look like that, not SQL Server connections.

If this database is behind a web server, it may be the target of one or more attacks (or efforts to probe for weaknesses), rather than having a virus/worm/trojan on your server.
0
 
LVL 2

Author Comment

by:anilmane
ID: 11742551
Thanks for the quick reply,

        Yes, i think its some kind of worm but i have scanned this server with symantec and some other online scan but to no avail. algx.net and theplanet.com are not only sites for which i am getting this there are also hundreds of connections from jaazsoftware.com which is also not valid site.Is there any way i can stop this.

0
 
LVL 15

Accepted Solution

by:
jdlambert1 earned 250 total points
ID: 11742680
If it were a distributed-denial-of-service attack, I'd expect a whole lot more than hundreds of connections. Nevertheless, with all those port numbers being probed on your SQL Server, it appears that your firewall isn't properly configured. How it should be configured depends on how you're using SQL Server: is it serving a web server, corporate services, or both? Do connections need to be made to it from outside your network?
0
 
LVL 9

Expert Comment

by:crescendo
ID: 11743085
Why is your server accepting connections from the Internet? You need a firewall - and quick!

If you have a router that you manage, get it to deny all ports except the ones you need to leave open. If it's a webserver, that will usually just be port 80 and possibly 443. There's normally bo need for any of the SQL to be exposed to the Internet.

If you don't have a router that you can manage, at least use some of the filtering in the network connection's TCP/IP properties.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

When you hear the word proxy, you may become apprehensive. This article will help you to understand Proxy and when it is useful. Let's talk Proxy for SQL Server. (Not in terms of Internet access.) Typically, you'll run into this type of problem w…
Having an SQL database can be a big investment for a small company. Hardware, setup and of course, the price of software all add up to a big bill that some companies may not be able to absorb.  Luckily, there is a free version SQL Express, but does …
Using examples as well as descriptions, and references to Books Online, show the documentation available for date manipulation functions and by using a select few of these functions, show how date based data can be manipulated with these functions.
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now