Does server 2008 log anything when it activates the SYN attack protection RRS feed

  • Question

  • Hi

    we recently rolled out a new web application on Server 2008 with IIS 7. Soon after rollout users complained that the connection to the application kept dropping. The cleint devices are all running XP SP3 and using IE6 or 7 as their web browser. Network traces from the server showed that it intermittently sent RST's to the client causing it to drop the connection. Traces from the client showed high levels of SYN's. We disabled the firewall and AV with no effect. Performance monitor stats showed there wasn't a bottleneck on the server and that there were never any more than 15 people connecting in any 15s period.

    Eventually we enabled static file caching and this reduced the number of requests by about 90%. The server resets stopped and the client connections became stable. The only explanation we can think of that would explain why such a relatively small number of users caused the port resets is that the server thought it was undergoing a SYN flood attack.

    My question is does Windows log anywhere if it thinks it is undergoing a SYN flood attack? Is there any way to confirm of deny this hypothosis?

    Wednesday, February 23, 2011 3:28 PM