Share via


Event ID 99 — NLB Denial-of-service Protection

Applies To: Windows Server 2008

Network Load Balancing (NLB) Denial-of-service Protection protects an NLB cluster from denial-of-service attacks such as SYN attacks and timer starvation. If protection is not present, the NLB cluster may not perform optimally and the connections in the cluster may fail.

Event Details

Product: Windows Operating System
ID: 99
Source: Microsoft-Windows-NLB
Version: 6.0
Symbolic Name: MSG_WARN_SYN_ATTACK_CALLBACK_OPEN_FAILED
Message: NLB cluster [%2]: The NLB driver failed to open the SYN attack callback object. A SYN attack is a type of denial of service attack which happens when a malicious user sends many open many TCP connections to the server exhausting system resources. Although NLB will still accept new connections, it may not perform optimally in the event of a SYN attack.

Resolve

Disable and enable NLB network adapters

During denial-of-service attacks, the Network Load Balancing (NLB) cluster will continue to operate and accept connections, however, it may not perform optimally. Disabling and re-enabling the network adapters may resolve this issue.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To disable and re-enable all network adapters by using Network and Sharing Center:

  1. Click Start, click Network, and then click Network and Sharing Center.
  2. Under Tasks, click Manage network connections.
  3. Right-click the network adapter you want to disable, and click Disable. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  4. Right-click the network adapter you want to enable, and click Enable. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

 

Verify

To verify that Network Load Balancing (NLB) is not under a denial-of-service attack by using Event Viewer:

  1. Click Start, click Control Panel, and then click System and Maintenance.
  2. Click Administrative Tools, and then double-click Event Viewer. You can also open Event Viewer by typing eventvwr from a command prompt.
  3. Click an event log in the left pane of the event viewer.
  4. In the system log, check for events with the ID 93, which indicates that the SYN attack has subsided, or ID 106, which indicates that the timer starvation has subsided.

NLB Denial-of-service Protection

NLB Cluster