Profile Applicability:
Level 2
Description:
The Classic Load Balancer (CLB) in AWS should be configured with the defensive or strictest desync mitigation mode to protect against desynchronization (desync) attacks. Desync attacks occur when inconsistencies arise between the interpretation of HTTP requests by the load balancer and backend servers, potentially allowing malicious actors to bypass security measures or exploit backend systems.
Desync mitigation modes available:
monitor: Observes traffic but does not block potentially desynced requests.
defensive (recommended): Actively blocks suspicious traffic to prevent desync attacks.
strictest: Blocks all requests that might be desynced, even if legitimate.
Rationale:
Setting defensive or strictest desync mitigation mode helps:
Prevent Desync Attacks: Protects against malformed or split HTTP requests that can bypass security checks.
Enhance Security Posture: Reduces risks of request smuggling and related vulnerabilities.
Compliance: Aligns with security best practices and standards for web application security.
Impact
Pros:
Enhanced protection against HTTP desync attacks.
Reduced risk of security breaches due to maliciously crafted HTTP requests.
Cons:
The strictest mode may block some legitimate requests if not properly tested.
Possible performance overhead due to additional request validation.
Default Value:
By default, Classic Load Balancer is set to monitor mode, which does not block desync attempts but logs them.
Pre-Requisite:
IAM Permissions:
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:ModifyLoadBalancerAttributes
AWS CLI installed and configured.
Remediation:
TestPlan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to EC2 Dashboard → Load Balancers.
Select the Classic Load Balancer you want to review.
Go to the Description tab and click Edit attributes.
Review the Desync Mitigation Mode setting.
Pass: If set to defensive or strictest.
Fail: If set to monitor.
Using AWS CLI:
List Classic Load Balancers:
aws elb describe-load-balancers --region <region> --query 'LoadBalancerDescriptions[*].[LoadBalancerName]'
Check Desync Mitigation Mode for Each CLB:
aws elb describe-load-balancer-attributes --load-balancer-name <clb-name> --region <region> --query 'LoadBalancerAttributes.DesyncMitigationMode'
Expected Output (Pass):
"defensive"
or
"strictest"
Fail Output:
"monitor"
Implementation Steps:
Using AWS Console:
Sign in to the AWS Console.
Navigate to EC2 Dashboard → Load Balancers.
Select the Classic Load Balancer to modify.
In the Description tab, click Edit attributes.
Locate the Desync Mitigation Mode setting.
Select defensive or strictest from the dropdown.
Click Save to apply the changes.
Using AWS CLI:
Set Desync Mitigation Mode to Defensive:
aws elb modify-load-balancer-attributes --load-balancer-name <clb-name> \
--load-balancer-attributes '{"DesyncMitigationMode":"defensive"}' --region <region>OR Set to Strictest (if required):
aws elb modify-load-balancer-attributes --load-balancer-name <clb-name> \
--load-balancer-attributes '{"DesyncMitigationMode":"strictest"}' --region <region>Verify Changes:
aws elb describe-load-balancer-attributes --load-balancer-name <clb-name> --region <region> --query 'LoadBalancerAttributes.DesyncMitigationMode'
Backout Plan:
If enabling defensive or strictest mode causes issues with legitimate traffic:
Using AWS Console:
Navigate to EC2 Dashboard → Load Balancers.
Select the affected Classic Load Balancer.
In Edit attributes, revert the Desync Mitigation Mode back to monitor.
Using AWS CLI:
aws elb modify-load-balancer-attributes --load-balancer-name <clb-name> \
--load-balancer-attributes '{"DesyncMitigationMode":"monitor"}' --region <region>