HTTP Desync attacks are a variant of request smuggling attacks which abuse the way a chain of HTTP servers interpret consecutive requests, especially because of different ways servers determine the length of each request. By manipulating the Content-Length and Transfer-Encoding headers in the request, the attacker can change how the request is processed on each intermediate server and in some cases even pollute caches and obtain responses meant for other HTTP streams.
AWS ELB provides three modes for HTTP Desync mitigation - Monitor, Defensive, and Strictest. Monitor allows all traffic to pass as is and simply logs any non-compliant RFC requests, Defensive provides durable mitigation against HTTP desync while maintaining the availability of your application, and Strictest mode ensures that your application receives only requests that comply with RFC 7230.
The default mode in AWS ELB is the Defensive mode, which provides durable mitigation against HTTP desync while maintaining the availability of the application. Changing the default setting of the HTTP Desync mitigation mode to Monitor could allow a class of HTTP desynchronization attacks against the web server behind the Load Balancer.
In this article we will see how to check and update the HTTP Desync mitigation mode for your ELB to a more secure option using AWS CLI.
Update AWS ELB HTTP Desync mitigation mode
Following are the steps to check and update the HTTP Desync mitigation mode using CLI for AWS ELB:
To get a list of all the load balancers, run the following command
aws elbv2 describe-load-balancers --region <REGION>
From the list, select the load balancer for which you want to check the Desync mitigation mode and run the following command to list its attributes
aws elbv2 describe-load-balancer-attributes --load-balancer-arn <LOAD BALANCER ARN> --region <REGION>
To update the Desync mitigation mode for the selected load balancer, run the following command
aws elbv2 modify-load-balancer-attributes --load-balancer-arn <LOAD BALANCER ARN> --attributes Key=routing.http.desync_mitigation_mode,Value=defensive --region <REGION>