Description:
Desync mitigation mode protects your application from issues due to HTTP desync. HTTP desync is a vulnerability that can allow attackers to inject malicious content into your application. By configuring your Application Load Balancer (ALB) with defensive or strictest desync mitigation mode, you can help to protect your application from this vulnerability.
Rationale:
HTTP desync is a serious vulnerability that can allow attackers to inject malicious content into your application. This malicious content could then be used to steal sensitive data, execute arbitrary code, or disrupt your application. By configuring your ALB with defensive or strictest desync mitigation mode, you can help to protect your application from this vulnerability.
Impact:
If you do not configure your ALB with defensive or strictest desync mitigation mode, your application may be vulnerable to HTTP desync attacks. This could lead to the theft of sensitive data, the execution of arbitrary code, or the disruption of your application.
Default Value:
The default desync mitigation mode for ALBs is defensive. This means that the ALB will allow safe requests, but will mitigate requests that are considered to be risky. The strictest desync mitigation mode will only allow requests that are RFC 7230 compliant.
Pre-requisites:
- You must have access to the AWS Management Console or the AWS CLI.
- You must know the name of the ALB that you want to configure.
Remediation Steps:
To configure your ALB with defensive or strictest desync mitigation mode, you can follow these steps:
- Log in to the AWS Management Console.
- Go to the Load Balancing service.
- Select the ALB that you want to configure.
- Click the Attributes tab.
- Under Packet handling, select the Desync mitigation mode option.
- Select Defensive or Strictest.
- Click Save changes.
Test Plan:
To test the configuration, you can send a request to your ALB and check the response. If the request is successful, then the desync mitigation mode has been configured correctly.
Implementation Plan:
The implementation plan for this policy is as follows:
- The policy will be implemented by the AWS Security team.
- The policy will be implemented in the next quarterly security patch release.
- The policy will be communicated to all affected users in advance of the implementation date.
AWS CLI Process:
To configure desync mitigation mode using the AWS CLI, you would use the following command:
aws elb modify-load-balancer-attributes --load-balancer-name my-alb --desync-mitigation-mode defensive
Using AWS GUI:
To configure desync mitigation mode using the AWS GUI, you would follow these steps:
- Log in to the AWS Management Console.
- Go to the Load Balancing service.
- Select the ALB that you want to configure.
- Click the Attributes tab.
- Under Packet handling, select the Desync mitigation mode option.
- Select Defensive or Strictest.
- Click Save changes.
Backout Plan:
If the desync mitigation mode configuration is not successful, you can roll back the changes by following these steps:
- Log in to the AWS Management Console.
- Go to the Load Balancing service.
- Select the ALB that you want to configure.
- Click the Attributes tab.
- Under Packet handling, select the Desync mitigation mode option.
- Select Monitor.
- Click Save changes.
Note:
- This policy is only applicable to Application Load Balancers.
- The default desync mitigation mode for Classic Load Balancers is monitor.
Reference:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-desync-mitigation-mode.html