Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Network ports on firewall filling up ....need help 500 points to the winners

Posted on 2005-02-28
7
Medium Priority
?
166 Views
Last Modified: 2013-11-16
I have just installed a new Windows 2003 server on my network and it has a exchange 2003 server on it. We are having issues with the network locking up. Basicly I think there may be a virus but I am unsure where it could be. What I am seeing on the firewall is that the connections keep building up. Our firewall a sonicwall 3060 pro can handle 130000 connections then it will start dropping connections. I tried unplugging the new server from the network and watched to see if the connections would die off. But they do not die. However they do stop going up. If I plug the server back in the connections start going up...about 100 every 10 seconds. This makes me think that something is trying to talk with the exchange server over and over and once it opens a port it keeps it live.

Any ideas on how to troubleshoot my network? How can I locate the source of the problem?

I am placeing this in the general networking area because I am unsure where I would place it. I am not sure what is going on.


Thanks
Tab
0
Comment
Question by:tabmpierce
7 Comments
 
LVL 27

Expert Comment

by:pseudocyber
ID: 13423066
Can you look at your firewall logs and see what the traffic is?  If not, throw a sniffer (like ethereal) in front of your server, or your firewall, and examine the traffic.  It sounds STRONGLY like your server is infected.

Your could run netstat -an at a command line on the server to see what ports it's opening and listening on.
0
 
LVL 27

Accepted Solution

by:
pseudocyber earned 1500 total points
ID: 13423080
There's a cool tool called "Port Reporter Tool" at Microsoft.  I haven't messed with it (on my to do list) - sounds like it would be useful, but don't know if you have time to install and configure.

This article contains information about how to obtain, install, and configure the Port Reporter tool. The Port Reporter tool is a tool that you can use to log TCP/IP port data on computers that are running Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000.

http://support.microsoft.com/?id=837243
0
 
LVL 3

Expert Comment

by:MVITECH
ID: 13423156
We had the exact same problem and pseudocyber is right on with how to resolve it. In our case it was a user that was flooding the network with traffic. The Sonicwall then shut the system down as in your case. We used Ethereal (before we knew about Port Reporter) and it quickly found the culprit.

Port Reporter is an incredible tool and it tells you real quickly what ports are open, what the source and destination port is as well as the heaviest time it is being used.

It can generate huge logs though. I have seen close to a 1GB a day on a 100 node network.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
LVL 24

Expert Comment

by:SunBow
ID: 13423688
> ports on firewall filling up
> on the firewall is that the connections keep building up.

Initial firewall configuration should be to disable all ports.
Then open the ones worth using
0
 
LVL 9

Expert Comment

by:conradie
ID: 13425384
This must be a virus or malware or P2P traffic. Search all the PC's on the LAN for the above.

Check these:

http://www.microsoft.com/security/malwareremove/default.mspx#run
http://www.lavasoftusa.com/software/adaware/
http://housecall.trendmicro.com/

And make sure you uninstall or stop any P2P from sharing files. I recommend uninstall.
0
 
LVL 9

Expert Comment

by:conradie
ID: 13425390
Since you say the server is the likely cause you may want to start with that. And ensure that it is running updated real time antivirus as well.
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 13428047
Updating your virus scanning engines and dat files are certainly the first step.  However, it is possible to be the among the first to experience a new variant that your virus scanner won't find.  Been there, done that.
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question