Microsoft patches up DDoS flaw in IIS

News by Rene Millman

Microsoft has moved to patch a flaw in its Internet Information Server (IIS) webserver software that could enable hackers to launch DDoS attacks.

Microsoft has moved to patch a flaw in its Internet Information Server (IIS) webserver software that could enable hackers to launch DDoS attacks.

According to an advisory published by the software developer, an attack can be triggered when malicious HTTP/2 requests are sent to a Windows Server running Internet Information Services (IIS).

"This could temporarily cause the system CPU usage to spike to 100 percent until the malicious connections are killed by IIS," said the advisory. HTTP/2 is an improvement on the original HTTP standard that features multiplexing, header compression, prioritisation and protocol negotiation.

The problem lies in the Flow Control feature of the protocol and the way IIS handles it.  A flow-control scheme ensures that streams on the same connection do not destructively interfere with each other. Flow control is used for both individual streams and for the connection as a whole.

The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters.

"In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed," said the advisory.

The bug meant that hackers using botnets could take down IIS servers. To fix the bug, Microsoft has added the ability to define thresholds on the number of HTTP/2 SETTINGS included in a request. "These thresholds must be defined by the IIS administrator, they are not preset by Microsoft," said the advisory.

Pascal Geenens, Radware EMEA security evangelist, told SC Media UK that mitigating this specific flaw can be achieved using a reverse proxy that correctly implements the HTTP/2 and using HTTP in the backend.

"However, that will not protect from volumetric or other application level DoS attacks. An always-on cloud or hybrid DDoS protection is not a luxury anymore if online businesses want to keep their services available. The fact is that today, everyone is a potential target for DDoS," he said.

Karsten Desler, CTO of Link11, told SC Media UK that IT professionals should always do a comprehensive risk assessment before they implement new features like HTTP/2 in order to avoid bad surprises.

"In this case, when the vulnerability is exposed already, affected organisations have two options. The first one might be to simply switch off the service until the patch is put in place. This is obviously a quite brutal approach and far from being ideal for the organisation. A much more elegant solution is to not let the malicious traffic reach the server in the first place. This can be achieved by setting up a load balancer or even better, by implementing a cloud-based solution, that is sophisticated enough to not let any DDoS traffic through," he said.

Desler said that with IT landscapes gaining complexity, all too often organisations find themselves flooded with alerts. As a result, it takes them too long to detect and mitigate cyber-threats.

"To meet today’s business requirements, organisations must rely on data analytics, machine learning and AI, to automatically detect and mitigate an attack. With a projected 3.5 million cyber-vacancies by 2021, throwing people at the problem is not going to solve the issue. It needs a much smarter approach," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews