Summary
HTTP/2 Settings frames are used by endpoints to exchange defined settings parameters with each other. The HTTP/2 protocol doesn’t define any practical limit on the number of settings parameters included in a single settings frame (max allowed is 2796202) and there is no limit on the number of times such settings frames are exchanged.
A malicious client using HTTP/2 can exploit this fact to make an HTTP/2 server system temporarily unstable, by increasing the CPU usage to 100% before the connections are terminated by the Internet Information Services (IIS).
Resolution
To address this issue, Microsoft has provided an ability to define limits on the number of HTTP/2 settings parameters allowed over a connection. These limits are not preset by Microsoft and must be defined by system administrator after reviewing the HTTP/2 protocol and their environment requirements.
Below are the two registry entries added to set the limits:
Path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Name: Http2MaxSettingsPerFrame
Type: DWORD
Data: Supported min value 7 and max 2796202. Out of range values trimmed to corresponding min/max end value.
Path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Name: Http2MaxSettingsPerMinute
Type: DWORD
Data: Supported min value 7. Smaller value trimmed to the min value.
Note: A machine reboot, or service restart is required to read the configured registry values, when they are added first time or changed.
With the limits set,
-
If a single Setting frame contains more settings parameters than "Http2MaxSettingsPerFrame" value, then that connection is immediately killed.
-
If the number of settings parameters contained in multiple Settings frames received within a minute crosses "Http2MaxSettingsPerMinute" value, then connection is killed.
When appropriately set, above two limits together help to terminate the malicious connection violating those limits and form a threshold for legitimate connections