Description:
An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply and then selects a target from the target group for the rule action.
Rationale:
Checks if the rule evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop HTTP headers. The rule is NON_COMPLIANT if the value of routing.http.drop_invalid_header_fields. enabled is set to false
It is supported in all region except Asia Pacific (Osaka), Europe( Milan), Africa (Cape Town) Region.
Impact:
If an invalid HTTP header drop in ALB is enabled to prevent from DDoS attack. If someone tries to request with an invalid HTTP header it drops and your services will not go down.
Default Value:
By default in Load Balancer is not contain as Application Load Balancer.
If you create an ALB for HTTP by default see in below
Audit:
Step 1: Log in to AWS Management Console and go to EC2 at https://console.aws.amazon.com/ec2
Step 2: In EC2 Dashboard Scroll down and go to Load Balancing in the left navigation pane.
Step 3: Click on Load Balancers
Step 4: To audit select your Load Balancer
Step 5: In the Description tab of selected Load Balancer scroll down and go to Attributes
Step 6: In Attributes, you can see Drop invalid header fields
If Drop invalid header fields are disabled you must enable for enable the Drop invalid header fields to follow the implementation steps.
If Drop invalid header fields are disabled you must enable for enable the Drop invalid header fields to follow the implementation steps.
Via CLI:
To describe load balancer attributes
aws elbv2 describe-load-balancer-attributes \
--load-balancer-arn \
arn:aws:elasticloadbalancing:<region>:<account id>:loadbalancer/app/<name of laod balancer>/50dc6c495c0c9188
Remediation:
Pre-Requisite:
Before implementation, you have at least an Application Load Balancer in your AWS account.
If you have multiple Load Balancer classic and application both make sure implement only in the application load balancer
Implementation Steps:
Step 1: Log in to AWS Management Console and go to EC2 at https://console.aws.amazon.com/ec2
Step 2: In EC2 Dashboard Scroll down and go to Load Balancing in the left navigation pane.
Step 3: Click on Load Balancers
Step 4: To enable drop invalid HTTP header select your Load Balancer
Step 5: In the Description tab of selected Load Balancer scroll down and go to Attributes
Step 6: Click on the Edit attributes button
Step 7: In Edit load balancer attributes to enable the Drop invalid header fields to click on the check box
Step 8: Click on the Save button
Via CLI:
To modify the attributes of the Load Balancer we use and enable the Drop invalid header fields
routing.http.drop_invalid_header_fields.enabled
aws elbv2 modify-load-balancer-attributes \
--load-balancer-arn \
arn:aws:elasticloadbalancing:<region>:123456789012:loadbalancer/app/<name_your_load_balancer>/50dc6c495c0c9188 \
--attributes Key=routing.http.drop_invalid_header_fields.enabled, Value=true
Backout Plan:
Step 1: Log in to AWS Management Console and go to EC2 at https://console.aws.amazon.com/ec2
Step 2: In EC2 Dashboard Scroll down and go to Load Balancing in the left navigation pane.
Step 3: Click on Load Balancers
Step 4: To enable drop invalid HTTP header select your Load Balancer
Step 5: In the Description tab of selected Load Balancer scroll down and go to Attributes
Step 6: Click on the Edit attributes button
Step 7: In Edit load balancer attributes to disable the Drop invalid header fields to uncheck the box
Step 8: Click on the Save button
Via CLI:
To modify the attributes of the Load Balancer we use and enable the Drop invalid header fields
routing.http.drop_invalid_header_fields.disabled
aws elbv2 modify-load-balancer-attributes \
--load-balancer-arn \
arn:aws:elasticloadbalancing:<region>:123456789012:loadbalancer/app/<name_your_load_balancer>/50dc6c495c0c9188 \
--attributes Key=routing.http.drop_invalid_header_fields.disabled, Value=false
Reference: