HTTP Desync attacks are a variant of request smuggling attacks which abuse the way a chain of HTTP servers interpret consecutive requests, especially because of different ways servers determine the length of each request. By manipulating the Content-Length and Transfer-Encoding headers in the request, the attacker can change how the request is processed on each intermediate server and in some cases even pollute caches and obtain responses meant for other HTTP streams.
AWS ELB provides three modes for HTTP Desync mitigation - Monitor, Defensive, and Strictest. Monitor allows all traffic to pass as is and simply logs any non-compliant RFC requests, Defensive provides durable mitigation against HTTP desync while maintaining the availability of your application, and Strictest mode ensures that your application receives only requests that comply with RFC 7230.
The default mode in AWS ELB is the Defensive mode, which provides durable mitigation against HTTP desync while maintaining the availability of the application. Changing the default setting of the HTTP Desync mitigation mode to Monitor could allow a class of HTTP desynchronization attacks against the web server behind the Load Balancer.
In this article we will see how to check and update the HTTP Desync mitigation mode for your ELB to a more secure option.
Following are the steps to check and update the HTTP Desync mitigation mode for AWS ELB:
Login to AWS Management Console
Navigate to EC2 dashboard
On the left menu, scroll down to Load Balancing and click on Load Balancers
Click on the Load Balancer name for which you want to check the HTTP Desync mitigation mode
On the Load Balancer details page, click on Attributes tab and you will be able to see the Desync mitigation mode for your Load Balancer
To update the Desync mitigation mode, select the Elastic Load Balancer
Click on Actions dropdown and select Edit load balancer attributes
Under Packet handling section, select the Desync mitigation mode as Defensive or Strictest
Finally click on Save changes. This will update the HTTP Desync mitigation mode for your ELB