Network ports on firewall filling up ....need help 500 points to the winners

Posted on 2005-02-28
Medium Priority
Last Modified: 2013-11-16
I have just installed a new Windows 2003 server on my network and it has a exchange 2003 server on it. We are having issues with the network locking up. Basicly I think there may be a virus but I am unsure where it could be. What I am seeing on the firewall is that the connections keep building up. Our firewall a sonicwall 3060 pro can handle 130000 connections then it will start dropping connections. I tried unplugging the new server from the network and watched to see if the connections would die off. But they do not die. However they do stop going up. If I plug the server back in the connections start going up...about 100 every 10 seconds. This makes me think that something is trying to talk with the exchange server over and over and once it opens a port it keeps it live.

Any ideas on how to troubleshoot my network? How can I locate the source of the problem?

I am placeing this in the general networking area because I am unsure where I would place it. I am not sure what is going on.

Question by:tabmpierce
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 27

Expert Comment

ID: 13423066
Can you look at your firewall logs and see what the traffic is?  If not, throw a sniffer (like ethereal) in front of your server, or your firewall, and examine the traffic.  It sounds STRONGLY like your server is infected.

Your could run netstat -an at a command line on the server to see what ports it's opening and listening on.
LVL 27

Accepted Solution

pseudocyber earned 1500 total points
ID: 13423080
There's a cool tool called "Port Reporter Tool" at Microsoft.  I haven't messed with it (on my to do list) - sounds like it would be useful, but don't know if you have time to install and configure.

This article contains information about how to obtain, install, and configure the Port Reporter tool. The Port Reporter tool is a tool that you can use to log TCP/IP port data on computers that are running Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000.


Expert Comment

ID: 13423156
We had the exact same problem and pseudocyber is right on with how to resolve it. In our case it was a user that was flooding the network with traffic. The Sonicwall then shut the system down as in your case. We used Ethereal (before we knew about Port Reporter) and it quickly found the culprit.

Port Reporter is an incredible tool and it tells you real quickly what ports are open, what the source and destination port is as well as the heaviest time it is being used.

It can generate huge logs though. I have seen close to a 1GB a day on a 100 node network.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 24

Expert Comment

ID: 13423688
> ports on firewall filling up
> on the firewall is that the connections keep building up.

Initial firewall configuration should be to disable all ports.
Then open the ones worth using

Expert Comment

ID: 13425384
This must be a virus or malware or P2P traffic. Search all the PC's on the LAN for the above.

Check these:


And make sure you uninstall or stop any P2P from sharing files. I recommend uninstall.

Expert Comment

ID: 13425390
Since you say the server is the likely cause you may want to start with that. And ensure that it is running updated real time antivirus as well.
LVL 27

Expert Comment

ID: 13428047
Updating your virus scanning engines and dat files are certainly the first step.  However, it is possible to be the among the first to experience a new variant that your virus scanner won't find.  Been there, done that.

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Course of the Month14 days, 18 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question