Event ID 104 — NLB Denial-of-service Protection

Applies To: Windows Server 2008 R2

Network Load Balancing (NLB) Denial-of-service Protection protects an NLB cluster from denial-of-service attacks such as SYN attacks and timer starvation. If protection is not present, the NLB cluster may not perform optimally and the connections in the cluster may fail.

Event Details

Resolve

Disable and enable NLB network adapters

During denial-of-service attacks, the Network Load Balancing (NLB) cluster will continue to operate and accept connections, however, it may not perform optimally. Disabling and re-enabling the network adapters may resolve this issue.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To disable and re-enable all network adapters by using Network and Sharing Center:

1. Click Start, click Network, and then click Network and Sharing Center.
2. Under Tasks, click Manage network connections.
3. Right-click the network adapter you want to disable, and click Disable. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4. Right-click the network adapter you want to enable, and click Enable. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

Verify

To verify that Network Load Balancing (NLB) is not under a denial-of-service attack by using Event Viewer:

1. Click Start, click Control Panel, and then click System and Maintenance.
2. Click Administrative Tools, and then double-click Event Viewer. You can also open Event Viewer by typing eventvwr from a command prompt.
3. Click an event log in the left pane of the event viewer.
4. In the system log, check for events with the ID 93, which indicates that the SYN attack has subsided, or ID 106, which indicates that the timer starvation has subsided.

Related Management Information

NLB Denial-of-service Protection

NLB Cluster