PC Help: Define thresholds on the number of HTTP/2 Settings parameters exchanged over a connection

Wednesday, February 1, 2023

Define thresholds on the number of HTTP/2 Settings parameters exchanged over a connection - Microsoft Support [MS]

Windows 10 Windows 10, version 1607, all editions Windows 10, version 1703, all editions Windows 10, version 1709, all editions Windows 10, version 1803, all editions Windows 10, version 1809, all editions More...Less

Summary

HTTP/2 Settings frames are used by endpoints to exchange defined settings parameters with each other. The HTTP/2 protocol doesn't define any practical limit on the number of settings parameters included in a single settings frame (max allowed is 2796202) and there is no limit on the number of times such settings frames are exchanged.

A malicious client using HTTP/2 can exploit this fact to make an HTTP/2 server system temporarily unstable, by increasing the CPU usage to 100% before the connections are terminated by the Internet Information Services (IIS).

Resolution

To address this issue, Microsoft has provided an ability to define limits on the number of HTTP/2 settings parameters allowed over a connection. These limits are not preset by Microsoft and must be defined by system administrator after reviewing the HTTP/2 protocol and their environment requirements.

Below are the two registry entries added to set the limits:

Path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

Name: Http2MaxSettingsPerFrame

Type: DWORD

Data: Supported min value 7 and max 2796202. Out of range values trimmed to corresponding min/max end value.

Path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

Name: Http2MaxSettingsPerMinute

Type: DWORD

Data: Supported min value 7. Smaller value trimmed to the min value.

Note: A machine reboot, or service restart is required to read the configured registry values, when they are added first time or changed.

With the limits set,

If a single Setting frame contains more settings parameters than "Http2MaxSettingsPerFrame" value, then that connection is immediately killed.
If the number of settings parameters contained in multiple Settings frames received within a minute crosses "Http2MaxSettingsPerMinute" value, then connection is killed.

When appropriately set, above two limits together help to terminate the malicious connection violating those limits and form a threshold for legitimate connections