| Event Source: | Microsoft-Windows-OnlineResponder |
| Event ID: | 22 (0x16) |
| Event log: | Application |
| Event type: | Error |
| Symbolic Name: | MSG_E_POSSIBLE_DENIAL_OF_SERVICE_ATTACK |
| Event text (English): | OCSP Responder Services did not process an extremely long request from %1. This may indicate a denial-of-service attack. If the request was rejected in error, modify the MaxIncomingMessageSize property for the service. Unless exhaustive logging is enabled, this error will only be logged every 20 minutes. |
| Event text (German): | The OCSP responder services did not process an extremely long request from %1. This may indicate a denial of service attack. Change the MaxIncomingMessageSize property for the service if the request was incorrectly denied. Unless verbose logging is enabled, this error is only logged every 20 minutes. |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: RequestName (win:UnicodeString)
The Online Responder (Online Certificate Status Protocol, OCSP) is an alternative way of providing revocation status information for certificates. Entities that want to check the revocation status of a certificate do not have to download the complete list of all revoked certificates thanks to OCSP, but can make a specific request for the certificate in question to the online responder. For a more detailed description, see the article "Basics Online Responder (Online Certificate Status Protocol, OCSP)„.
Description
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
Microsoft writes about this event in the Installing, Configuring, and Troubleshooting the Online Responder (Microsoft's OCSP Responder) whitepaper:
It is recommended that the originator of the request is located as this type of event might point to a malicious user or application trying to compromise the Online Responder. The MaxIncomingMessageSize value can be modified by creating a new registry DWORD value under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OCSPSvc\Responder registry hive and setting the value to the maximum number of bytes you would like the Online Responder to be able to process.
Safety assessment
No description has been written for this yet.
Related links:
- Overview of Windows events generated by the online responder (OCSP)
- Overview of the audit events generated by the online responder (OCSP)
English 
Deutsch