Windows servers running Internet Information Services (IIS)
are vulnerable to denial-of-service (DoS) attacks carried out through malicious
Microsoft revealed that Windows servers running Internet
Information Services (IIS) are vulnerable to denial-of-service (DoS) attacks.
Attackers can trigger a DoS condition by sending specially
crafted HTTP/2 requests, the CPU usage will temporarily spike to 100% forcing
the IIS into killing the malicious connections.
“Microsoft is aware of a potential condition which can be
triggered when malicious HTTP/2 requests are sent to a Windows Server running
Internet Information Services (IIS). This could temporarily cause the system
CPU usage to spike to 100% until the malicious connections are killed by IIS
reads the security advisory published by Microsoft.
“The HTTP/2 specification allows clients to specify any
number of SETTINGS frames with any number of SETTINGS parameters. In some
situations, excessive settings can cause services to become unstable and may
result in a temporary CPU usage spike until the connection timeout is reached
and the connection is closed.”
The flaw affects Windows 10, Windows Server and Windows
The flaw was reported by Gal Goldshtein from F5 Networks
who disclosed in November 2018 a similar flaw in the nginx web server software.
Microsoft has released updates to address the issue, the
tech giant has implemented the ability to define thresholds on the number of
HTTP/2 SETTINGS included in a request. These thresholds are not preset by
Microsoft, instead, IIS administrator must define them. Microsoft published a
knowledge base article to explain how to define thresholds on the number of
HTTP/2 settings parameters exchanged over a connection.