NLB Denial-of-service Protection
Applies To: Windows Server 2008 R2
Network Load Balancing (NLB) Denial-of-service Protection protects an NLBÂ cluster from denial-of-service attacks such as SYN attacks and timer starvation. If protection is not present, the NLB cluster may not perform optimally and the connections in the cluster may fail.
Events
| Event ID | Source | Message |
|---|---|---|
Microsoft-Windows-NLB |
NLB cluster [%2]: A SYN attack has been detected. During the attack, some connections might fail. If this attack recurs frequently, analyze the threat and take appropriate measures. An informational event log entry will be logged when the attack has subsided. | |
Microsoft-Windows-NLB |
NLB cluster [%2]: A SYN attack has subsided. | |
Microsoft-Windows-NLB |
NLB cluster [%2]: The NLB driver failed to open the SYN attack callback object. A SYN attack is a type of denial of service attack which happens when a malicious user sends many open many TCP connections to the server exhausting system resources. Although NLB will still accept new connections, it may not perform optimally in the event of a SYN attack. | |
Microsoft-Windows-NLB |
NLB cluster [%2]: The NLB driver failed to open the timer starvation callback object. Although it will continue to operate, NLB may not perform optimally in the event of timer starvation (usually caused by denial of service attacks). | |
Microsoft-Windows-NLB |
NLB cluster [%2]: Timer starvation has been detected. This might be due to a denial of service attack or a very high server load. During this period, some connections might fail. If this problem recurs frequently, analyze the threat and take appropriate measures and/or add more servers to the cluster. An informational event log entry will be logged when the attack has subsided. | |
Microsoft-Windows-NLB |
NLB cluster [%2]: Timer starvation has subsided. |