Ensure that the appropriate Desync Mitigation mode is configured for your Amazon Application Load Balancers (ALBs) in order to protect your web applications from issues caused by HTTP Desync and meet security and compliance requirements. The Application Load Balancer classifies each request based on its threat level, allows safe requests, and then mitigates risk as specified by the mitigation mode that you configure. The Desync Mitigation modes are "Defensive", "Strictest", and "Monitor". The "Defensive" mode is chosen as your default mode because it provides a durable hands-free mitigation against HTTP Desync, while maintaining the availability of your application. The "Strictest" mode can be enforced if you need to ensure that your web application only sees requests that are RFC 7230 compliant. Lastly, you have the flexibility to choose the "Monitor" mode if you want your load balancer to forward all requests it receives, regardless of classification, to the web application behind it. The suitable mitigation mode must be configured in the conformity rule settings, on the Trend Cloud One™ – Conformity account console.
HTTP Desync attacks exploit the way a chain of HTTP servers (front-end and backend web servers) interpret consecutive requests. HTTP Desync attacks are coming from a class of attacks known as HTTP request smuggling attacks. Request smuggling attacks can make web applications vulnerable to request queue or cache poisoning, which could lead to credential hijacking or execution of unauthorized commands.
Audit
To determine the Desync Mitigation mode configured for your Application Load Balancers (ALBs), perform the following operations:
Remediation / Resolution
To configure the suitable (compliant) Desync Mitigation mode for your existing Amazon Application Load Balancers (ALBs), perform the following operations:
References
- AWS Documentation
- Elastic Load Balancing FAQs
- Application Load Balancers
- AWS Command Line Interface (CLI) Documentation
- describe-load-balancers
- describe-load-balancer-attributes
- modify-load-balancer-attributes