Share via


Event ID 92 — NLB Denial-of-service Protection

Applies To: Windows Server 2008

Network Load Balancing (NLB) Denial-of-service Protection protects an NLB cluster from denial-of-service attacks such as SYN attacks and timer starvation. If protection is not present, the NLB cluster may not perform optimally and the connections in the cluster may fail.

Event Details

Product: Windows Operating System
ID: 92
Source: Microsoft-Windows-NLB
Version: 6.0
Symbolic Name: MSG_INFO_SYN_ATTACK_BEGIN
Message: NLB cluster [%2]: A SYN attack has been detected. During the attack, some connections might fail. If this attack recurs frequently, analyze the threat and take appropriate measures. An informational event log entry will be logged when the attack has subsided.

Resolve

Analyze threat to NLB cluster

Analyze the threats against the Network Load Balancing (NLB) cluster, including potential denial-of-service attacks, and then take the appropriate measures. For more information about security, see Security and Protection.

If it is not an attack, the NLB cluster may be overloaded. To distribute the cluster traffic load over more hosts, you can add more hosts to the NLB cluster.

When you are using NLB Manager, you must be a member of the Administrators group on the host that you are configuring, or you must have been delegated the appropriate authority. If you are configuring a cluster or host by running NLB Manager from a computer that is not part of the cluster, you do not have to be a member of the Administrators group on that computer.

To add a host to the NLB cluster:

  1. Click Start, click Administrative Tools, and then click Network Load Balancing Manager. You can also open NLB Manager by typing Nlbmgr at a command prompt.
  2. Right-click the cluster where you want to add the host and choose Add Host To Cluster. If NLB Manager does not list the cluster, connect to the cluster.
  3. Type the host's name and click Connect. The network adapters that are available on the host will be listed at the bottom of the dialog box.
  4. Click the network adapter that you want to use for NLB, and then click Next. The IP address configured on this network adapter will be the dedicated IP address for this host.
  5. Configure the remaining host parameters as appropriate, and then click Finish.

Verify

To verify that Network Load Balancing (NLB) is not under a denial-of-service attack by using Event Viewer:

  1. Click Start, click Control Panel, and then click System and Maintenance.
  2. Click Administrative Tools, and then double-click Event Viewer. You can also open Event Viewer by typing eventvwr from a command prompt.
  3. Click an event log in the left pane of the event viewer.
  4. In the system log, check for events with the ID 93, which indicates that the SYN attack has subsided, or ID 106, which indicates that the timer starvation has subsided.

NLB Denial-of-service Protection

NLB Cluster