Microsoft fixes web server DDoS bug

Microsoft has fixed a bug that could have led to distributed denial of service (DDoS) attacks on its web server software.

The flaw lay in the way that Internet Information Server (IIS) processed requests sent using HTTP/2.

Ratified in 2015, HTTP/2 is an enhanced version of the original HTTP standard that includes better flow control and handles a wider variety of connections between clients and servers.

Flow control in HTTP/2 enables a client computer to describe how it wants to receive information from the sender so that it can work more efficiently.

For example, you might ask your browser to stream a high-bandwidth video, but then pause the video halfway through.

With HTTP/2, the browser can use flow control to pause the delivery and buffering of the video and concentrate on downloading something else that is suddenly more important, such as a real-time ticker update.

To manage flow control, HTTP/2 uses a feature known as a SETTINGS frame.

Clients can specify any number of SETTINGS frames, and this is the root of the problem that Microsoft found in IIS – too many frames can overload the server, maxing out CPU usage at 100%.

Microsoft reported:

In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed.

The flaw meant that attackers with a botnet of zombie computers, or hacktivists with a following of willing helpers, could have brought IIS servers – which as of January 2019 hosted 25% of all web domains, according to Netcraft – to their knees.

Microsoft fixed the problem by adding an option to limit the number of SETTINGS frames in an HTTP/2 request.

What to do?

To access this feature, customers can download the cumulative updates KB4487006, KB4487011, KB4487021, and KB4487029.

The fix allows administrators to set two parameters in the registry: Http2MaxSettingsPerFrame and Http2MaxSettingsPerMinute.

If the number of SETTINGS frames surpasses either of these two limits, IIS will kill the connection:

When appropriately set, [the] two limits together help to terminate the malicious connection violating those limits and form a threshold for legitimate connections.

Don’t forget, though, that these settings aren’t turned on by default, even after you install the update – a suitable registry tweak is needed to enable this DDoS mitigation.