Too many TIME_WAIT connections.

Posted on 2004-08-07
Medium Priority
Last Modified: 2010-05-18
Hello Experts,

         I am looking after win 2000 server with MS SQl 2000 DB. Recently all of  a sudden bandwidth utilization of server skyrocketed. Upon running TCPview i got below given result,

sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:7322      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:15189      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:15359      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:15525      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:16931      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:18317      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:18480      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:18651      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:20393      TIME_WAIT
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      162.69-93-76.reverse.theplanet.com:49885      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      162.69-93-76.reverse.theplanet.com:49756      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.center7.com:ms-sql-s      162.69-93-76.reverse.theplanet.com:49581      TIME_WAIT      

This is just few lines of the result.there are hundreds of entries like these. I know that getting  TIME_WAIT is quite normal and usaually these connections get dropped after some time but I have been getting these results for more than a week now.At first i thought this was slammer worm, but i have service pack 3 of sql installed  ,so i belive it makes me immune to this worm.Just to be sure i checked with symantec slammer fix tool but did not find anything.Can somebody help me with this.

Thanks in Advance
Question by:anilmane
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 15

Expert Comment

ID: 11742533
I suspect you have some virus/worm/trojan other than Slammer. All those port numbers from algx.net definitely looks like port scanning, and it doesn't appear to be a conventional web site. theplanet.com is a web hosting site, and the traffic from reverse.theplanet.com may mean that their server has gotten a lot of traffic from your server, and they're trying to do a reverse lookup on your IP address.
LVL 15

Expert Comment

ID: 11742541
Well, my idea that reverse.theplanet.com is doing reverse lookups is a dumb idea, I was thinking of firewall logs that look like that, not SQL Server connections.

If this database is behind a web server, it may be the target of one or more attacks (or efforts to probe for weaknesses), rather than having a virus/worm/trojan on your server.

Author Comment

ID: 11742551
Thanks for the quick reply,

        Yes, i think its some kind of worm but i have scanned this server with symantec and some other online scan but to no avail. algx.net and theplanet.com are not only sites for which i am getting this there are also hundreds of connections from jaazsoftware.com which is also not valid site.Is there any way i can stop this.

LVL 15

Accepted Solution

jdlambert1 earned 750 total points
ID: 11742680
If it were a distributed-denial-of-service attack, I'd expect a whole lot more than hundreds of connections. Nevertheless, with all those port numbers being probed on your SQL Server, it appears that your firewall isn't properly configured. How it should be configured depends on how you're using SQL Server: is it serving a web server, corporate services, or both? Do connections need to be made to it from outside your network?

Expert Comment

ID: 11743085
Why is your server accepting connections from the Internet? You need a firewall - and quick!

If you have a router that you manage, get it to deny all ports except the ones you need to leave open. If it's a webserver, that will usually just be port 80 and possibly 443. There's normally bo need for any of the SQL to be exposed to the Internet.

If you don't have a router that you can manage, at least use some of the filtering in the network connection's TCP/IP properties.

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
Ever wondered why sometimes your SQL Server is slow or unresponsive with connections spiking up but by the time you go in, all is well? The following article will show you how to install and configure a SQL job that will send you email alerts includ…
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Via a live example, show how to setup several different housekeeping processes for a SQL Server.
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question