Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure HTTP Desync Mitigation Mode for Application Load Balancers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the appropriate Desync Mitigation mode is configured for your Amazon Application Load Balancers (ALBs) in order to protect your web applications from issues caused by HTTP Desync and meet security and compliance requirements. The Application Load Balancer classifies each request based on its threat level, allows safe requests, and then mitigates risk as specified by the mitigation mode that you configure. The Desync Mitigation modes are "Defensive", "Strictest", and "Monitor". The "Defensive" mode is chosen as your default mode because it provides a durable hands-free mitigation against HTTP Desync, while maintaining the availability of your application. The "Strictest" mode can be enforced if you need to ensure that your web application only sees requests that are RFC 7230 compliant. Lastly, you have the flexibility to choose the "Monitor" mode if you want your load balancer to forward all requests it receives, regardless of classification, to the web application behind it. The suitable mitigation mode must be configured in the conformity rule settings, on the Trend Cloud One™ – Conformity account console.

Security

HTTP Desync attacks exploit the way a chain of HTTP servers (front-end and backend web servers) interpret consecutive requests. HTTP Desync attacks are coming from a class of attacks known as HTTP request smuggling attacks. Request smuggling attacks can make web applications vulnerable to request queue or cache poisoning, which could lead to credential hijacking or execution of unauthorized commands.


Audit

To determine the Desync Mitigation mode configured for your Application Load Balancers (ALBs), perform the following operations:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Configure Desync Mitigation Mode for Application Load Balancers conformity rule settings, and identify the preferred Desync Mitigation mode configured for your AWS cloud account.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

04 In the main navigation panel, under Load Balancing, choose Load Balancers.

05 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list the Application Load Balancers available in the current AWS region.

06 Select the Application Load Balancer (ALB) that you want to examine.

07 Select the Description tab from the console bottom panel to view the configuration information available for the selected load balancer.

08 In the Attributes section, check the mitigation mode configured for the Desync mitigation mode setting. If the mitigation mode configured for the load balancer is not the one defined in the conformity rule settings, identified at step no. 1, the Desync Mitigation configuration set for the selected Application Load Balancer (ALB) is not compliant.

09 Repeat steps no. 6 – 8 for each Application Load Balancer deployed within the current AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Configure Desync Mitigation Mode for Application Load Balancers conformity rule settings and identify the preferred Desync Mitigation mode configured for your AWS cloud account.

02 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of the Application Load Balancers (ALBs) available in the selected AWS region:

aws elbv2 describe-load-balancers
  --region us-east-1
  --query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn'

03 The command output should return an array with the requested load balancer ARN(s):

[
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-project5-web-alb/abcdabcdabcdabcd",
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-app-alb/abcd1234abcd1234"
]

04 Run describe-load-balancer-attributes command (OSX/Linux/UNIX) using the ARN of the Application Load Balancer (ALB) that you want to examine as the identifier parameter and custom query filters to describe the Desync Mitigation mode configured for the selected load balancer:

aws elbv2 describe-load-balancer-attributes
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-project5-web-alb/abcdabcdabcdabcd
  --query 'Attributes[?(Key == `routing.http.desync_mitigation_mode`)].Value | []'

05 The command output should return the name of the configured mitigation mode:

[
	"monitor"
]

If the mitigation mode returned by the describe-load-balancer-attributes command output is different than the one defined in the conformity rule settings, identified at step no. 1, the Desync Mitigation configuration set for the selected Application Load Balancer (ALB) is not compliant.

06 Repeat steps no. 4 and 5 for each Application Load Balancer available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To configure the suitable (compliant) Desync Mitigation mode for your existing Amazon Application Load Balancers (ALBs), perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"ApplicationLoadBalancer": {
			"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
			"Properties": {
				"Name": "cc-app-load-balancer",
				"Type": "application",
				"Scheme": "internet-facing",
				"IpAddressType": "ipv4",
				"Subnets": [
					"subnet-01234abcd1234abcd",
					"subnet-0abcd1234abcd1234"
				],
				"SecurityGroups": [
					"sg-0abcd1234abcd1234",
					"sg-01234abcd1234abcd"
				],
				"LoadBalancerAttributes": [
					{
						"Key": "routing.http.desync_mitigation_mode",
						"Value": "strictest"
					}
				]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	ApplicationLoadBalancer:
		Type: AWS::ElasticLoadBalancingV2::LoadBalancer
		Properties:
		Name: cc-app-load-balancer
		Type: application
		Scheme: internet-facing
		IpAddressType: ipv4
		Subnets:
			- subnet-01234abcd1234abcd
			- subnet-0abcd1234abcd1234
		SecurityGroups:
			- sg-0abcd1234abcd1234
			- sg-01234abcd1234abcd
		LoadBalancerAttributes:
			- Key: routing.http.desync_mitigation_mode
			Value: strictest

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_lb" "application-load-balancer" {
	name                       = "cc-app-load-balancer"
	load_balancer_type         = "application"
	internal                   = false
	ip_address_type            = "ipv4"
	subnets                    = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]
	security_groups            = ["sg-0abcd1234abcd1234","sg-01234abcd1234abcd"]
	desync_mitigation_mode     = "strictest"
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list the Application Load Balancers available in the current AWS region.

05 Select the Application Load Balancer (ALB) that you want to reconfigure.

06 Select the Description tab and click on the Edit attributesbutton available in the Attributes section.

07 In the Edit load balancer attributes configuration box, select the compliant mitigation mode, defined in the conformity rule settings, for the Desync mitigation mode. Choose Save to apply the changes.

08 Repeat steps no. 5 – 7 for each Application Load Balancer that you want to reconfigure, available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run modify-load-balancer-attributes command (OSX/Linux/UNIX) using the ARN of the Application Load Balancer (ALB) that you want to reconfigure as the identifier parameter, to configure the compliant Desync Mitigation mode, defined in the conformity rule settings, for the selected load balancer. The following command example sets the strictest mitigation mode for an load balancer identified by the ARN "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-project5-web-alb/abcdabcdabcdabcd":

aws elbv2 modify-load-balancer-attributes
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-project5-web-alb/abcdabcdabcdabcd
  --attributes Key=routing.http.desync_mitigation_mode,Value=strictest

02 The command output should return the configuration attributes available for the modified load balancer:

{
	"Attributes": [
		{
			"Value": "strictest",
			"Key": "routing.http.desync_mitigation_mode"
		},
		{
			"Value": "false",
			"Key": "access_logs.s3.enabled"
		},
		{
			"Value": "",
			"Key": "access_logs.s3.bucket"
		},
		{
			"Value": "",
			"Key": "access_logs.s3.prefix"
		},
		{
			"Value": "60",
			"Key": "idle_timeout.timeout_seconds"
		},
		{
			"Value": "false",
			"Key": "deletion_protection.enabled"
		},
		{
			"Value": "true",
			"Key": "routing.http2.enabled"
		},
		{
			"Value": "false",
			"Key": "routing.http.drop_invalid_header_fields.enabled"
		}
	]
}

03 Repeat steps no. 1 and 2 for each Application Load Balancer that you want to reconfigure, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Nov 27, 2023