Microsoft IIS HTTP/2 denial of service


Executive Summary

Microsoft is aware of a potential condition which can be triggered when malicious HTTP/2 requests are sent to a Windows Server running Internet Information Services (IIS). This could temporarily cause the system CPU usage to spike to 100% until the malicious connections are killed by IIS.

The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed.

To address this issue, Microsoft has added the ability to define thresholds on the number of HTTP/2 SETTINGS included in a request. These thresholds must be defined by the IIS administrator, they are not preset by Microsoft.

Recommended Actions

  1. Install the February non-security update.
  2. Customers should review Knowledge Base Article 4491420 and take appropriate action.

Read more…