question

ChrisFournier-9075 avatar image
0 Votes"
ChrisFournier-9075 asked ChrisFournier-9075 commented

Why is SQL Browser (on a cluster) doing a vertical port scan of the node its running on?

Here's some background.

This is a 3 node SQL cluster running 10 instances all SQL 2012 on WIN2012R2. Each SQL instance has its own IP and uses p1433, so browser is not used to make connections to named instances.

One of our monitoring tools caught a SQL instance source using the SQL browser to do an internal port scan against the node it is running on.

Sample of ports scanned:
TCP/UDP Port (Impacted):
49179 (4)
49171 (4)
49173 (4)


Is anyone aware of this sort of behavior out of the browser service?

sql-server-general
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just a note that I deleted my Answer, since it was irrelevant. I had missed the detail on all instances having their own IP-address.

0 Votes 0 ·

ahh no worries. Thanks for taking a minute to look at my question.

I wonder if there is a way to reproduce that port scan condition. Perhaps if I tried to make a connection to the named instance w/o using the sql cluster name. Somehow the browser is getting involved even though we don't use it.

0 Votes 0 ·

1 Answer

AmeliaGu-msft avatar image
0 Votes"
AmeliaGu-msft answered ChrisFournier-9075 commented

Hi ChrisFournier-9075,

Welcome to Microsoft Q&A.

One of our monitoring tools caught a SQL instance source using the SQL browser to do an internal port scan against the node it is running on.

Will this happen even if the browser is disabled?
Could you please try to hide the instances in the SQL Server configuration manager? Setting the HideInstance flag can indicate that SQL Server Browser should not respond with information about this server instance. To hide a clustered instance, we need to create an alias in all the nodes of the clustered instance to reflect the static port that you configured for the instance.
Please refer to this doc which might help.

Best Regards,

Amelia


If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your reply, AmeliaGu-msft.

I attempted to disable the browser service on all nodes, but unfortunately that caused all instances to crash. They would only restart after I brought the browsers back up on each node. That was a hard way to find out that the clustered instances are dependent on the browser service.

I'll look at the idea of hiding an instance from the browser to see if that stops the occasional vertical port scan.

0 Votes 0 ·