Vulnerability Management
Desync mitigation (ALB only)
HTTP desync attack, or HTTP request smuggling attacks, aim to exploit different interpretation of RFC non-compliant HTTP requests across a chain of proxies, opening up the possibility of smuggling a request to the back-end.
Application Load Balancer (ALB) supports HTTP Desync Mitigation Mode that classify every request based on its threat level using an AWS Open Source library called HTTP Desync Guardian.
Customers can choose among three modes - “Defensive”, “Strictest”, and “Monitor”. The “Strictest” mode ensure that your application only sees requests that are RFC 7230 compliant.
The “Strictest” mode is recommended from the security perspective. However, to avoid false positives, users may want to keep it in the “Monitor” mode for some time, and monitor the DesyncMitigationMode_NonCompliant_Request_Count CloudWatch metric. Also, the “classification” and "classification_reason" fields in the Access Logs should be evaluated to determine the impact of enabling “Strictest” mode.
Best Practice
[ALB] Use Strictest mode for desync mitigation.
Note
The feature drop_invalid_header_fields was initially intended to provide mitigation for HTTP desync attacks, and was deprecated for this purpose by the HTTP desync mitigation mode feature.