Microsoft fixes web server DDoS bug – Naked Security

Microsoft fixed a bug that could have led to Distributed Denial of Service (DDoS) attacks on its web server software.

The flaw lay in the way Internet information server (IIS) processed requests sent over HTTP / 2.

Ratified in 2015, HTTP / 2 is an improved version of the original HTTP standard that includes better flow control and handles a wider variety of connections between clients and servers.

Flow control in HTTP / 2 allows a client computer to describe how it wishes to receive information from the sender so that it can work more efficiently.

For example, you can ask your browser to stream high bandwidth video and then pause the video halfway through.

With HTTP / 2, the browser can use flow control to pause the delivery and buffering of the video and focus on downloading something else that is suddenly more important, such as a ticker update in progress. real time.

To manage flow control, HTTP / 2 uses a feature known as a SETTINGS frame.

Clients can specify any number of SETTINGS frames, and this is the root of the problem Microsoft found in IIS – too many frames can overload the server, maximizing CPU usage to 100%.

Microsoft reported:

In some situations, excessive settings can cause services to become unstable and cause a temporary spike in CPU usage until the connection timeout is reached and the connection is closed.

The flaw meant attackers with a botnet of zombie computers, or hacktivists with a suite of volunteer assistants, could have brought in IIS servers – which, as of January 2019, hosted 25% of all web domains, according to Netcraft – on his knees.

Microsoft addressed the issue by adding an option to limit the number of SETTINGS frames in an HTTP / 2 request.

What to do?

To access this feature, customers can download cumulative updates KB4487006, KB4487011, KB4487021, and KB4487029.

The fix allows administrators to set two parameters in the registry: Http2MaxSettingsPerFrame and Http2MaxSettingsPerMinute.

If the number of SETTINGS frames exceeds one of these two limits, IIS will drop the connection:

When correctly defined, [the] together, two limits help terminate the malicious connection violating these limits and form a threshold for legitimate connections.

Keep in mind, however, that these settings are not enabled by default, even after installing the update – proper registry adjustment is required to enable this DDoS mitigation.

Comments are closed.