Just like Windows 10, Windows 8, and Windows 7, the Windows Server operating systems could also run into a series of problems. For instance, the denial of service attacks are found in the Windows Server systems running Internet Information Services (IIS) and Microsoft has published a security advisory to explain that.
IIS is the abbreviation of Internet Information Services, which is actually an extensible web server released by Microsoft as an integral part of the Windows NT family. Recently, vulnerability has said to be identified in IIS. By taking advantage of this vulnerability, an attacker can make it to send a HTTP/2 crafted packet remotely. This will finally result in the Denial of Service condition on the targeted system.
IIS Resource Exhaustion DoS Attacks Discovered
Lately, Microsoft found a problem: both the Windows Server and Windows 10 servers which are running IIS (Internet Information Services) are vulnerable to the DoS (Denial of Service) attacks. Then, a security advisory (ADV190005) is published by Microsoft on its Security Response Center to express the IIS resource exhaustion DoS attacks. It explains that all the IIS servers running on the following systems will be influenced by this newly found issue:
- Windows Server 2016
- Windows Server Version 1709
- Windows Server Version 1803
- Various Windows 10 versions (1607, 1703, 1709, and 1803)
- More to be found…
What Happens after the IIS Resource Exhaustion Bug Is Found
If an IIS resource exhaustion bug appears, it is easy for the potential remote attacker to trigger a DoS condition. The direct result is leading to the usage of system CPU jump to 100% and this won’t be decreased unless the malicious connections are finally eliminated by IIS. Malicious people send viciously crafted HTTP/2 requests in order to launch the denial of service attack to invade the vulnerable Windows Servers.
You should read this post when you find needed files are lost from a computer running the Windows Server:
Microsoft described it at length in the ADV190005 security advisory:
The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed.
Microsoft also made it’s clear in the advisory that as for the vulnerability mentioned by the Gal Goldshtein of F5 Networks, no mitigation measures or solutions can be found right now. Yet, it is highly recommend that users get the February non-security updates and then install them properly on computer.
Luckily, the security team of Redmond offers a mitigation measure: the capability of defining the thresholds on the number of HTTP/2 SETTINGS, which is included in a request, has been added (once you have finished setting thresholds on a Windows system running IIS, all the connections will be cut off at once). It is necessary for the IIS administrators to set the threshold levels after the environment and HTTP/2 protocol requirements of the systems have been evaluated; Microsoft will never configure it in advance.
Please note:
- You are advised to visit the website of software manufacturer to get details before installing the software.
- Generally, the security updates are provided by the vendor for the products.
- After the updates have been applied successfully, the IIS administrators also need to configure the HTTP/2 limitation of threshold.
Influences of IIS Resource Exhaustion DoS Attacks
There are mainly 2 influences that are caused by IIS resource exhaustion DoS attacks:
- The corresponding registry entries on vulnerable Windows 10 versions will be added by Microsoft to set the limits. Then, a service restart or a server reboot is essential before the system can read the newly added registry values.
- During July 2016 to March 2017, the WebDAV service, which is contained in all IIS distributions, has been affected a lot due to the zero-day in IIS 6.0 (since the attackers exploit all the Windows Servers in advance).
Windows Patches Zero-day Vulnerability, But Windows Still vulnerable.