NLB Denial-of-service Protection

Updated: November 13, 2007

Applies To: Windows Server 2008

Network Load Balancing (NLB) Denial-of-service Protection protects an NLB cluster from denial-of-service attacks such as SYN attacks and timer starvation. If protection is not present, the NLB cluster may not perform optimally and the connections in the cluster may fail.

Events

Event ID Source Message

92

Microsoft-Windows-NLB

NLB cluster [%2]: A SYN attack has been detected. During the attack, some connections might fail. If this attack recurs frequently, analyze the threat and take appropriate measures. An informational event log entry will be logged when the attack has subsided.

93

Microsoft-Windows-NLB

NLB cluster [%2]: A SYN attack has subsided.

99

Microsoft-Windows-NLB

NLB cluster [%2]: The NLB driver failed to open the SYN attack callback object. A SYN attack is a type of denial of service attack which happens when a malicious user sends many open many TCP connections to the server exhausting system resources. Although NLB will still accept new connections, it may not perform optimally in the event of a SYN attack.

104

Microsoft-Windows-NLB

NLB cluster [%2]: The NLB driver failed to open the timer starvation callback object. Although it will continue to operate, NLB may not perform optimally in the event of timer starvation (usually caused by denial of service attacks).

105

Microsoft-Windows-NLB

NLB cluster [%2]: Timer starvation has been detected. This might be due to a denial of service attack or a very high server load. During this period, some connections might fail. If this problem recurs frequently, analyze the threat and take appropriate measures and/or add more servers to the cluster. An informational event log entry will be logged when the attack has subsided.

106

Microsoft-Windows-NLB

NLB cluster [%2]: Timer starvation has subsided.

Related Management Information

NLB Host

NLB Cluster

Community Additions

ADD
Show: