Description:

An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply and then selects a target from the target group for the rule action.

Rationale:

Checks if the rule evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop HTTP headers. The rule is NON_COMPLIANT if the value of routing.http.drop_invalid_header_fields. enabled is set to false

It is supported in all region except Asia Pacific (Osaka), Europe( Milan), Africa (Cape Town) Region.

Impact:

If an invalid HTTP header drop in ALB is enabled to prevent from DDoS attack. If someone tries to request with an invalid HTTP header it drops and your services will not go down.

Default Value:

By default in Load Balancer is not contain as Application Load Balancer. 

If you create an ALB for HTTP by default see in below


Audit:

Step 1: Log in to AWS Management Console and go to EC2 at https://console.aws.amazon.com/ec2

Step 2: In EC2 Dashboard Scroll down and go to Load Balancing in the left navigation pane.

Step 3: Click on Load Balancers 

Step 4:  To audit select your Load Balancer

Step 5: In the Description tab of selected Load Balancer scroll down and go to Attributes

Step 6: In Attributes, you can see Drop invalid header fields 

If Drop invalid header fields are disabled you must enable for enable the Drop invalid header fields to follow the implementation steps.

If Drop invalid header fields are disabled you must enable for enable the Drop invalid header fields to follow the implementation steps.


 Via CLI:

To describe load balancer attributes

aws elbv2 describe-load-balancer-attributes \
    --load-balancer-arn \
    arn:aws:elasticloadbalancing:<region>:<account id>:loadbalancer/app/<name of laod balancer>/50dc6c495c0c9188


Remediation:

Pre-Requisite:

  1. Before implementation, you have at least an Application Load Balancer in your AWS account.

  2. If you have multiple Load Balancer classic and application both make sure implement only in the application load balancer

Implementation Steps:

Step 1: Log in to AWS Management Console and go to EC2 at https://console.aws.amazon.com/ec2

Step 2: In EC2 Dashboard Scroll down and go to Load Balancing in the left navigation pane.

Step 3: Click on Load Balancers 


Step 4:  To enable drop invalid HTTP header select your Load Balancer

Step 5: In the Description tab of selected Load Balancer scroll down and go to Attributes


Step 6: Click on the Edit attributes button 


Step 7: In Edit load balancer attributes to enable the Drop invalid header fields to click on the check box


Step 8: Click on the Save button

Via CLI:

To modify the attributes of the Load Balancer we use and enable the Drop invalid header fields

routing.http.drop_invalid_header_fields.enabled

aws elbv2 modify-load-balancer-attributes \
--load-balancer-arn \
arn:aws:elasticloadbalancing:<region>:123456789012:loadbalancer/app/<name_your_load_balancer>/50dc6c495c0c9188 \
--attributes Key=routing.http.drop_invalid_header_fields.enabled, Value=true


Backout Plan:

Step 1: Log in to AWS Management Console and go to EC2 at https://console.aws.amazon.com/ec2

Step 2: In EC2 Dashboard Scroll down and go to Load Balancing in the left navigation pane.

Step 3: Click on Load Balancers 

Step 4:  To enable drop invalid HTTP header select your Load Balancer

Step 5: In the Description tab of selected Load Balancer scroll down and go to Attributes

Step 6: Click on the Edit attributes button 

Step 7: In Edit load balancer attributes to disable the Drop invalid header fields to  uncheck the box


Step 8: Click on the Save button

Via CLI:

To modify the attributes of the Load Balancer we use and enable the Drop invalid header fields

routing.http.drop_invalid_header_fields.disabled

aws elbv2 modify-load-balancer-attributes \
--load-balancer-arn \
arn:aws:elasticloadbalancing:<region>:123456789012:loadbalancer/app/<name_your_load_balancer>/50dc6c495c0c9188 \
--attributes Key=routing.http.drop_invalid_header_fields.disabled, Value=false


Reference: