Event ID 104 — NLB Denial-of-service Protection

Applies To: Windows Server 2008 R2

Network Load Balancing (NLB) Denial-of-service Protection protects an NLB cluster from denial-of-service attacks such as SYN attacks and timer starvation. If protection is not present, the NLB cluster may not perform optimally and the connections in the cluster may fail.

Event Details

Product: Windows Operating System
ID: 104
Source: Microsoft-Windows-NLB
Version: 6.1
Message: NLB cluster [%2]: The NLB driver failed to open the timer starvation callback object. Although it will continue to operate, NLB may not perform optimally in the event of timer starvation (usually caused by denial of service attacks).


Disable and enable NLB network adapters

During denial-of-service attacks, the Network Load Balancing (NLB) cluster will continue to operate and accept connections, however, it may not perform optimally. Disabling and re-enabling the network adapters may resolve this issue.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To disable and re-enable all network adapters by using Network and Sharing Center:

  1. Click Start, click Network, and then click Network and Sharing Center.
  2. Under Tasks, click Manage network connections.
  3. Right-click the network adapter you want to disable, and click Disable. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  4. Right-click the network adapter you want to enable, and click Enable. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.



To verify that Network Load Balancing (NLB) is not under a denial-of-service attack by using Event Viewer:

  1. Click Start, click Control Panel, and then click System and Maintenance.
  2. Click Administrative Tools, and then double-click Event Viewer. You can also open Event Viewer by typing eventvwr from a command prompt.
  3. Click an event log in the left pane of the event viewer.
  4. In the system log, check for events with the ID 93, which indicates that the SYN attack has subsided, or ID 106, which indicates that the timer starvation has subsided.

NLB Denial-of-service Protection

NLB Cluster