To address this issue, Microsoft has provided an ability to define limits on the number of HTTP/2 settings parameters allowed over a connection. These limits are not preset by Microsoft and must be defined by system administrator after reviewing the HTTP/2 protocol and their environment requirements.
Below are the two registry entries added to set the limits:
Path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Name: Http2MaxSettingsPerFrame
Type: DWORD
Data: Supported min value 7 and max 2796202. Out of range values trimmed to corresponding min/max end value.
Path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Name: Http2MaxSettingsPerMinute
Type: DWORD
Data: Supported min value 7. Smaller value trimmed to the min value.
Note: A machine reboot, or service restart is required to read the configured registry values, when they are added first time or changed.
With the limits set,
- If a single Setting frame contains more settings parameters than "Http2MaxSettingsPerFrame" value, then that connection is immediately killed.
- If the number of settings parameters contained in multiple Settings frames received within a minute crosses "Http2MaxSettingsPerMinute" value, then connection is killed.
When appropriately set, above two limits together help to terminate the malicious connection violating those limits and form a threshold for legitimate connections