Event ID 105 — NLB Denial-of-service Protection
Applies To: Windows Server 2008
Network Load Balancing (NLB) Denial-of-service Protection protects an NLB cluster from denial-of-service attacks such as SYN attacks and timer starvation. If protection is not present, the NLB cluster may not perform optimally and the connections in the cluster may fail.
Event Details
Product: | Windows Operating System |
ID: | 105 |
Source: | Microsoft-Windows-NLB |
Version: | 6.0 |
Symbolic Name: | MSG_INFO_TIMER_STARVATION_BEGIN |
Message: | NLB cluster [%2]: Timer starvation has been detected. This might be due to a denial of service attack or a very high server load. During this period, some connections might fail. If this problem recurs frequently, analyze the threat and take appropriate measures and/or add more servers to the cluster. An informational event log entry will be logged when the attack has subsided. |
Resolve
Analyze threat to NLB cluster
Analyze the threats against the Network Load Balancing (NLB) cluster, including potential denial-of-service attacks, and then take the appropriate measures. For more information about security, see Security and Protection.
If it is not an attack, the NLB cluster may be overloaded. To distribute the cluster traffic load over more hosts, you can add more hosts to the NLB cluster.
When you are using NLB Manager, you must be a member of the Administrators group on the host that you are configuring, or you must have been delegated the appropriate authority. If you are configuring a cluster or host by running NLB Manager from a computer that is not part of the cluster, you do not have to be a member of the Administrators group on that computer.
To add a host to the NLB cluster:
- Click Start, click Administrative Tools, and then click Network Load Balancing Manager. You can also open NLB Manager by typing Nlbmgr at a command prompt.
- Right-click the cluster where you want to add the host and choose Add Host To Cluster. If NLB Manager does not list the cluster, connect to the cluster.
- Type the host's name and click Connect. The network adapters that are available on the host will be listed at the bottom of the dialog box.
- Click the network adapter that you want to use for NLB, and then click Next. The IP address configured on this network adapter will be the dedicated IP address for this host.
- Configure the remaining host parameters as appropriate, and then click Finish.
Verify
To verify that Network Load Balancing (NLB) is not under a denial-of-service attack by using Event Viewer:
- Click Start, click Control Panel, and then click System and Maintenance.
- Click Administrative Tools, and then double-click Event Viewer. You can also open Event Viewer by typing eventvwr from a command prompt.
- Click an event log in the left pane of the event viewer.
- In the system log, check for events with the ID 93, which indicates that the SYN attack has subsided, or ID 106, which indicates that the timer starvation has subsided.