Profile Applicability:

  • Level 2

Description:

Amazon Application Load Balancer (ALB) provides a highly available and scalable load balancing service for HTTP and HTTPS traffic. Desynchronization (Desync) attacks occur when malformed or unexpected HTTP request headers are used to bypass security controls or disrupt application traffic. ALB supports desync mitigation modes to protect against such attacks. This SOP checks if ALB is configured with the strictest desync mitigation mode. If not, it verifies if at least the drop_invalid_header_fields attribute is configured.

Rationale:

  • Security: Enabling the strictest desync mitigation mode ensures that ALBs can handle malformed or malicious request headers properly, reducing the risk of desync attacks.

  • Compliance: Many compliance standards (e.g., SOC 2, PCI-DSS) require adequate protection mechanisms against common web application attacks, including desynchronization.

  • Best Practices: Configuring ALBs with proper desync mitigation modes helps prevent attackers from exploiting request header vulnerabilities.

Impact:

Pros:

  • Enhanced Security: Protects against desynchronization and header-based attacks.

  • Compliance: Helps in meeting security requirements for industry standards like PCI-DSS and SOC 2.

  • Reduced Risk: Lowers the chance of traffic disruption due to malformed headers.

Cons:

  • Performance Impact: The strictest desync mitigation mode might introduce a slight performance overhead due to additional validation of request headers.

  • Configuration Complexity: Setting up the strictest desync mitigation or configuring the drop_invalid_header_fields attribute requires proper understanding and implementation.

Default Value:

By default, ALBs may not have the strictest desync mitigation enabled. The desync mitigation mode must be configured manually.

Pre-requisite:

  • AWS IAM Permissions:

    • elasticloadbalancing:DescribeLoadBalancers

    • elasticloadbalancing:ModifyListener

    • elasticloadbalancing:DescribeListeners

    • elasticloadbalancing:DescribeRules

  • AWS CLI installed and configured.

  • Ensure that you have Application Load Balancers (ALB) set up and are using HTTP/HTTPS listeners for traffic distribution.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Elastic Load Balancing under Services.

  3. In the Load Balancers section, select your Application Load Balancer.

  4. Under the Listeners tab, select the listener configuration (HTTP or HTTPS).

  5. In the Rules section, check if the desync mitigation mode is configured. Specifically, check if the strictest mitigation mode is enabled.

    • If it is not, check whether the drop_invalid_header_fields attribute is configured to prevent processing invalid request headers.

  6. Ensure that the mitigation is either set to strictest or drop_invalid_header_fields is enabled for enhanced security.

Using AWS CLI:

  1. To describe the Application Load Balancer, run:

    aws elb describe-load-balancers --query 'LoadBalancers[?Type==`application`].{Name:LoadBalancerName,DesyncMitigationMode:DesyncMitigationMode}'

  2. If the DesyncMitigationMode is not strictest, check the listener configuration:

    aws elb describe-listeners --load-balancer-name <load-balancer-name> --query 'Listeners[*].{Protocol:Protocol,Port:Port,DefaultActions:DefaultActions}'

  3. Review the output to check if the drop_invalid_header_fields attribute is enabled in the listener rules.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Elastic Load Balancing.

  2. In the Load Balancers section, select your Application Load Balancer.

  3. Under the Listeners tab, choose the listener for your ALB (HTTP or HTTPS).

  4. Check the Desync Mitigation Mode under Advanced Settings.

    • If it is not set to strictest, change the mitigation mode to strictest.

    • If you cannot set it to strictest, enable the drop_invalid_header_fields setting.

  5. Save the changes to enable the appropriate desync mitigation for your ALB.

Using AWS CLI:

  1. To enable the strictest desync mitigation mode, run:

    aws elb modify-listener --load-balancer-name <load-balancer-name> --listener arn=<listener-arn> --default-actions '[{"Type": "fixed-response", "FixedResponseConfig": {"StatusCode": 200}}]' --desync-mitigation-mode strictest

  2. If you want to enable drop_invalid_header_fields, use:

    aws elb modify-listener --load-balancer-name <load-balancer-name> --listener arn=<listener-arn> --drop-invalid-header-fields true

Backout Plan:

Using AWS Console:

  1. If enabling Strictest Desync Mitigation Mode causes issues, sign in to the AWS Management Console.

  2. Navigate to Elastic Load Balancing, select the ALB, and go to the Description tab.

  3. Click Edit and revert the Desync Mitigation Mode to the previous setting (or disable it).

  4. Save the changes and verify that the mitigation mode is no longer in the strictest setting.

Using AWS CLI:

  1. To revert the Desync Mitigation Mode to the previous setting, run:

    aws elbv2 modify-load-balancer-attributes --load-balancer-arn <LOAD_BALANCER_ARN> --attributes Key=desync_mitigation_mode,Value=default

  2. Verify that the Desync Mitigation Mode has been reverted:

    aws elbv2 describe-load-balancer-attributes --load-balancer-arn <LOAD_BALANCER_ARN>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.