Windows setting Http2MaxSettingsPerMinute - counted per connection or server-wide?

Question

In article https://support.microsoft.com/en-us/help/4491420/define-thresholds-on-the-number-of-http-2-settings-parameters-exchange, Microsoft describes two new Windows registry settings to address an issue in which a malicious HTTP/2 client can send so many HTTP/2 SETTINGS parameters that the server runs out of CPU.

The description for the Http2MaxSettingsPerMinute registry setting is

If the number of settings parameters contained in multiple Settings frames received within a minute crosses "Http2MaxSettingsPerMinute" value, then connection is killed.

It's not clear to me whether this count ('number of settings parameters') is measured per connection, or across the entire server. That is, if I set the registry value for Http2MaxSettingsPerMinute to 100, and clients start 20 connections with 5 SETTINGS each in the period of a minute, will the 21st attempted connection within the minute be killed? Or would a connection only be killed if that single connection included the client sending over 100 SETTINGS within a minute?

thanks!

Martin

Answer 1

You would have to ask Microsoft to be absolutely sure but I’m definitely reading this as a per connection limit.

The title of the post is (emphasis mine):

Define thresholds on the number of HTTP/2 Settings parameters exchanged over a connection

And if this was a server level setting I would expect this piece:

If the number of settings parameters contained in multiple Settings frames received within a minute crosses "Http2MaxSettingsPerMinute" value, then connection is killed.

to read like:

If the number of settings parameters contained in multiple Settings frames received within a minute crosses "Http2MaxSettingsPerMinute" value, then the connection that crossed that limit is killed.