3

Microsoft "fixed" the HTTP/2 vulnerabilities recently discovered. The updates add the ability to create the registry keys to stop the vulnerabilities, they don't actually fix the vulnerabilities after updating. (https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-9511)

They give zero guidance on what any of the values should be or even what a good starting point would be to set the values. Does anyone have any baseline recommendations to set these values? They range from 0 to 0xFF or 0xFFF, which makes it even more interesting. Setting them all to the min or max to start sounds like a bad idea.

These are the registry keys and possible values:

Http2MaxPingsPerMinute - Range 0 to 0xFF - If you don't allow anyone to ping you does it matter?

Http2MaxServerResetsPerMinute - Range 0 to 0xFFF

Http2MaxPrioritiesPerStream - Range 0 to 0xFF

Http2MaxResetsPerStream - Range 0 to 0xFF

Http2MaxUnknownsPerStream - Range 0 to 0xFF

Http2MaxWindowUpdatesPerSend - Range 0 to 0xFF

Http2MinimumSendWindowSize - Range 0 to 0xFFF

BONUS!

They did the same thing in February. (https://support.microsoft.com/en-us/help/4491420/define-thresholds-on-the-number-of-http-2-settings-parameters-exchange)

I have seen one article online, that I cannot find again, that suggested setting these values to 256 to start, but I haven't seen any other suggestions anywhere else.

Http2MaxSettingsPerFrame - Range 7 to 2796202

Http2MaxSettingsPerMinute - Minimum Value 7

Thanks ahead to anyone that can help!

NinjaBomb
  • 149
  • 2
  • 5
  • 17
  • "To be fully protected from the vulnerabilities, an administrator needs to configure their server to limit the number of HTTP/2 packets accepted. This can vary based on the environment and services running on each server." You know your servers and you should determine the suitable values? – Lex Li Aug 16 '19 at 20:45
  • 2
    I agree and I’ve read that passage about 50 times all over the internet. I know the servers and I know the apps on them, but how do you even start to figure out what those values should be? Performance counters somewhere? Measuring some response size somewhere in some cases? Something else in .NET? Guessing and seeing what happens? Someone knows how to get the metrics and I’ll admit it isn’t me right now and I can’t be the only person on Earth that needs to be shown the light. I’m not too proud to say I need some help here! – NinjaBomb Aug 16 '19 at 23:34
  • Did you ever arrive as some reasonable default for these? – Steven Quick May 12 '21 at 15:39
  • @StevenQuick unfortunately no. I occasionally google around and haven't found anything useful. – NinjaBomb Jun 17 '21 at 22:40
  • @NinjaBomb Yeah, the documentation around this is very poor. It's not clear whether it's still needed or not. The best I came up with was copying nginx default settings which seemed sensible. – Steven Quick Jun 18 '21 at 00:37

0 Answers0