Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure HTTP Desync Mitigation Mode for Classic Load Balancers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the relevant Desync Mitigation mode is configured for your Amazon Classic Load Balancers (CLBs) in order to protect the web applications behind your load balancers from issues caused by HTTP Desync, and meet security and compliance requirements. The Classic Load Balancer classifies each request based on its threat level, allows safe requests, and then mitigates risk as specified by the mitigation mode that you configure. The Desync Mitigation modes are "Defensive", "Strictest", and "Monitor". The "Defensive" mode is chosen as your default mode because it provides a durable hands-free mitigation against HTTP Desync, while maintaining the availability of your application. The "Strictest" mode can be enforced if you need to ensure that your web application only sees requests that are RFC 7230 compliant. Lastly, you have the flexibility to choose the "Monitor" mode if you want your load balancer to forward all requests it receives, regardless of classification, to the web application behind it. The suitable mitigation mode must be configured in the conformity rule settings, on the Trend Cloud One™ – Conformity account console.

This rule can help you work with the AWS Well-Architected Framework.

Security

HTTP Desync attacks exploit the way a chain of HTTP servers (frontend and backend web servers) interpret consecutive requests. HTTP Desync attacks are coming from a class of attacks known as HTTP request smuggling attacks. Request smuggling attacks can make web applications vulnerable to request queue or cache poisoning, which could lead to credential hijacking or execution of unauthorized commands.

Audit

To determine the Desync Mitigation mode configured for your Amazon Classic Load Balancers (CLBs), perform the following actions:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Configure HTTP Desync Mitigation Mode for Classic Load Balancers conformity rule settings and identify the Desync Mitigation mode configured for your AWS cloud account.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

04 In the main navigation panel, under Load Balancing, choose Load Balancers.

05 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers provisioned in the current AWS region.

06 Select the Classic Load Balancer that you want to examine.

07 Choose the Description tab from the console bottom panel to view the configuration information available for the selected load balancer.

08 In the Attributes section, check the mitigation mode configured for the Desync mitigation mode setting. If the mitigation mode configured is not the one defined in the conformity rule settings, identified at step no. 1, the Desync Mitigation configuration set for the selected Classic Load Balancer (CLB) is not compliant.

09 Repeat steps no. 6 – 8 to determine the mitigation mode configured for other Classic Load Balancers deployed within the current AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Configure HTTP Desync Mitigation Mode for Classic Load Balancers conformity rule settings and identify the Desync Mitigation mode configured for your AWS cloud account.

02 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the name of each Classic Load Balancer available in the selected AWS region: 

aws elb describe-load-balancers
  --region us-east-1
  --output table
  --query 'LoadBalancerDescriptions[*].LoadBalancerName'

03 The command output should return a table with the requested load balancer names: 

-------------------------------
|    DescribeLoadBalancers    |
+-----------------------------+
|  cc-web-prod-load-balancer  |
|  cc-frontend-load-balancer  |
+-----------------------------+

04 Run describe-load-balancer-attributes command (OSX/Linux/UNIX) using the name of the Amazon Classic Load Balancer that you want to examine as the identifier parameter and custom query filters to describe the Desync Mitigation mode configured for the selected load balancer: 

aws elb describe-load-balancer-attributes
  --region us-east-1
  --load-balancer-name cc-web-prod-load-balancer
  --query 'LoadBalancerAttributes.AdditionalAttributes[?(Key == `elb.http.desyncmitigationmode`)].Value | []'

05 The command output should return the name of the configured mitigation mode: 

[
	"defensive"
]

If the mitigation mode returned by the describe-load-balancer-attributes command output is different than the one defined in the conformity rule settings, identified at step no. 1, the Desync Mitigation configuration set for the selected Classic Load Balancer (CLB) is not compliant.

06 Repeat steps no. 4 and 5 to determine the mitigation mode configured for other Classic Load Balancers deployed in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To configure the suitable Desync Mitigation mode for your existing Classic Load Balancers (CLBs), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers provisioned in the current AWS region.

05 Select the Classic Load Balancer that you want to examine.

06 Select the Description tab and click on the Configure desync mitigation modebutton available in the Attributes section.

07 In the Configure desync mitigation mode configuration box, select the compliant mitigation mode, defined in the conformity rule settings, to set up the suitable Desync Mitigation mode for the selected Classic Load Balancer (CLB). Choose Save to apply the changes.

08 Repeat steps no. 5 – 7 to configure the relevant mitigation mode for each Classic Load Balancer available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run modify-load-balancer-attributes command (OSX/Linux/UNIX) using the name of the Classic Load Balancer (CLB) that you want to reconfigure as the identifier parameter, to configure the compliant Desync Mitigation mode, defined in the conformity rule settings, for the selected load balancer. The following command example sets the strictest mitigation mode for a Classic Load Balancer named "cc-frontend-load-balancer": 

aws elb modify-load-balancer-attributes
  --region us-east-1
  --load-balancer-name cc-web-prod-load-balancer
  --load-balancer-attributes "{\"AdditionalAttributes\":[{\"Key\":\"elb.http.desyncmitigationmode\",\"Value\":\"strictest\"}]}"

02 The command output should return the configuration information available for the modified attribute: 

{
	"LoadBalancerAttributes": {
		"AdditionalAttributes": [
			{
				"Value": "strictest",
				"Key": "elb.http.desyncmitigationmode"
			}
		]
	},
	"LoadBalancerName": "cc-web-prod-load-balancer"
}

03 Repeat steps no. 1 and 2 to configure the suitable mitigation mode for each Classic Load Balancer available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Nov 23, 2023

Related ELB rules