Detecting Ephemeral Port Exhaustion in Windows 7 / 8 / 2012

Ephemeral ports are ports that start at a higher range then regular ports. For example when compared to a web server that listens on port 80, ephemeral ports start from 49152 for Windows 2008 R2.  If there are scripts or applications that are making a lot of connections on the higher ports they can become exhausted.

A lot of these higher ports are dynamic ports meaning that they open and close on demand by the application.  You may see a high number of ports in TIME_WAIT when you run the netstat command, this is because Windows keeps a socket in TIME_WAIT state for a total of 4 minutes before recycling it back for use. In the default configuration there is a total of 16384 ephemeral ports. It may seem like a lot but if an application is sending one command through a port and then sending another command through another port, Windows waits 4 minutes before it closes the first port and this is where the exhaustion can occur.

Default ephemeral port ranges:

PowerShell – Identifying if you have exhausted ephemeral ports

You can run the below PowerShell script and it will show you details about your Ephemeral ports to see if they are all in use.

Log-EphemeralPortsStats.ps1  <– (Right-click, “Save Link As” to Download)

1. Open up Windows PowerShell

2.  “Set-Execution-policy Unrestricted” and execute the “Log-EphemeralPortsStats.ps1” script
(Click Image to enlarge)

3.  The Script will also generate a log file called “EphemeralPortStats.log”

Increasing Ephemeral Ports:

Windows 7 / 8 / 2012
=================
Command to View ephemeral ports:
netsh int ipv4 show dynamicportrange tcp

Command to increase Ephemeral ports
netsh int ipv4 set dynamicport tcp start=1025 num=64510

Ephemeral ports after the increase (Reboot is required)

Reduce TIME_WAIT
Windows keeps a port in TIME_WAIT state for 240 seconds (4 min) we can adjust this to 30 seconds so that it becomes available quicker for other applications to use.

1. Start > Run > Regedit
2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters
3. Create a new DWORD (32 bit) named: TcpTimedWaitDelay
4. Set the value to Decimal: 30
5. Reboot

Redhat LInux 5
===========
Reduce the TIME_WAIT by setting the tcp_fin_timeout kernel value on /proc/sys/net/ipv4/tcp_fin_timeout, using the command echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout to set it to 30 seconds.

Increase the range of ephemeral ports by setting ip_local_port_range kernel value on /proc/sys/net/ipv4/ip_local_port_range, using the command echo “32768 65535” > /proc/sys/net/ipv4/ip_local_port_range, this will set the port range from 32768 to 65535.

The kernel value parameters aren’t saved with these commands, and are reset to the default values on system reboot, thus make sure to place the commands on a system startup script such as /etc/rc.local.

Helpful netstat commands
C:\>netstat -an | find “:80” |find /c “ESTABLISHED”
268
C:\>netstat -an | find “:80” |find /c “TIME_WAIT”
3746
C:\>netstat -an | find “:8085 ” | find /c “4924”
2
C:\>netstat -an | find “:8085 ” | find “4924”
TCP 127.0.0.1:4924 127.0.0.1:8085 ESTABLISHED
TCP 127.0.0.1:8085 127.0.0.1:4924 ESTABLISHED
netstat -ano | find /N “8085”
netstat -a -n | find /c “:”
netstat -anbo