• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1959
  • Last Modified:

Too many TIME_WAIT connections.

Hello Experts,

         I am looking after win 2000 server with MS SQl 2000 DB. Recently all of  a sudden bandwidth utilization of server skyrocketed. Upon running TCPview i got below given result,

sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:7322      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:15189      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:15359      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:15525      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:16931      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:18317      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:18480      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:18651      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      ip64-48-99-178.z99-48-64.customer.algx.net:20393      TIME_WAIT
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      162.69-93-76.reverse.theplanet.com:49885      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.com:ms-sql-s      162.69-93-76.reverse.theplanet.com:49756      TIME_WAIT      
sqlservr.exe:772      TCP      x.x.x.x.center7.com:ms-sql-s      162.69-93-76.reverse.theplanet.com:49581      TIME_WAIT      


This is just few lines of the result.there are hundreds of entries like these. I know that getting  TIME_WAIT is quite normal and usaually these connections get dropped after some time but I have been getting these results for more than a week now.At first i thought this was slammer worm, but i have service pack 3 of sql installed  ,so i belive it makes me immune to this worm.Just to be sure i checked with symantec slammer fix tool but did not find anything.Can somebody help me with this.

Thanks in Advance
0
anilmane
Asked:
anilmane
  • 3
1 Solution
 
jdlambert1Commented:
I suspect you have some virus/worm/trojan other than Slammer. All those port numbers from algx.net definitely looks like port scanning, and it doesn't appear to be a conventional web site. theplanet.com is a web hosting site, and the traffic from reverse.theplanet.com may mean that their server has gotten a lot of traffic from your server, and they're trying to do a reverse lookup on your IP address.
0
 
jdlambert1Commented:
Well, my idea that reverse.theplanet.com is doing reverse lookups is a dumb idea, I was thinking of firewall logs that look like that, not SQL Server connections.

If this database is behind a web server, it may be the target of one or more attacks (or efforts to probe for weaknesses), rather than having a virus/worm/trojan on your server.
0
 
anilmaneAuthor Commented:
Thanks for the quick reply,

        Yes, i think its some kind of worm but i have scanned this server with symantec and some other online scan but to no avail. algx.net and theplanet.com are not only sites for which i am getting this there are also hundreds of connections from jaazsoftware.com which is also not valid site.Is there any way i can stop this.

0
 
jdlambert1Commented:
If it were a distributed-denial-of-service attack, I'd expect a whole lot more than hundreds of connections. Nevertheless, with all those port numbers being probed on your SQL Server, it appears that your firewall isn't properly configured. How it should be configured depends on how you're using SQL Server: is it serving a web server, corporate services, or both? Do connections need to be made to it from outside your network?
0
 
crescendoCommented:
Why is your server accepting connections from the Internet? You need a firewall - and quick!

If you have a router that you manage, get it to deny all ports except the ones you need to leave open. If it's a webserver, that will usually just be port 80 and possibly 443. There's normally bo need for any of the SQL to be exposed to the Internet.

If you don't have a router that you can manage, at least use some of the filtering in the network connection's TCP/IP properties.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now