Kloudle
academy

How to update AWS ELB HTTP Desync mitigation mode

Pragti Chauhan
#aws#cloudsecurity#elb
Feature image

Introduction

HTTP Desync attacks are a variant of request smuggling attacks which abuse the way a chain of HTTP servers interpret consecutive requests, especially because of different ways servers determine the length of each request. By manipulating the Content-Length and Transfer-Encoding headers in the request, the attacker can change how the request is processed on each intermediate server and in some cases even pollute caches and obtain responses meant for other HTTP streams.

AWS ELB provides three modes for HTTP Desync mitigation - Monitor, Defensive, and Strictest. Monitor allows all traffic to pass as is and simply logs any non-compliant RFC requests, Defensive provides durable mitigation against HTTP desync while maintaining the availability of your application, and Strictest mode ensures that your application receives only requests that comply with RFC 7230.

The default mode in AWS ELB is the Defensive mode, which provides durable mitigation against HTTP desync while maintaining the availability of the application. Changing the default setting of the HTTP Desync mitigation mode to Monitor could allow a class of HTTP desynchronization attacks against the web server behind the Load Balancer.

In this article we will see how to check and update the HTTP Desync mitigation mode for your ELB to a more secure option.

Update AWS ELB HTTP Desync mitigation mode

Following are the steps to check and update the HTTP Desync mitigation mode for AWS ELB:

  1. Login to AWS Management Console

  2. Navigate to EC2 dashboard

    Select EC2 service

  3. On the left menu, scroll down to Load Balancing and click on Load Balancers

    Load Balancers

  4. Click on the Load Balancer name for which you want to check the HTTP Desync mitigation mode

    Select Load Balancer

  5. On the Load Balancer details page, click on Attributes tab and you will be able to see the Desync mitigation mode for your Load Balancer

    Load Balancer Attributes

  6. To update the Desync mitigation mode, select the Elastic Load Balancer

    Select Load Balancer to update

  7. Click on Actions dropdown and select Edit load balancer attributes

    Edit Load Balancer Attributes

  8. Under Packet handling section, select the Desync mitigation mode as Defensive or Strictest

    Update Desync mitigation mode

  9. Finally click on Save changes. This will update the HTTP Desync mitigation mode for your ELB

    Save Load Balancer changes

← Back to Academy