Support for routing.http.desync_mitigation_mode in ALB/CLB

[reedloden]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Application Load Balancer (ALB) and Classic Load Balancer (CLB) now support HTTP Desync Mitigation Mode, a new feature that protects your application from issues due to HTTP Desync. Modern day web applications are typically built with a chain of proxies that ensure fast and reliable communication between clients and servers. While these proxies follow a standard mechanism to parse RFC 7230 compliant HTTP/1.1 requests, they may have differences in interpretation while parsing non-compliant requests. These differences in interpretation can cause Desync where different proxies in the chain may disagree on request boundaries and therefore may not process the same request. This could leave behind arbitrary messages that may be prepended to the next request in the queue and smuggled to the backend. Ultimately, request smuggling can make applications vulnerable to request queue or cache poisoning, which could lead to credential hijacking or execution of unauthorized commands.

An option to mitigate Desync is to only allow requests that strictly conform to RFC. However, a large percentage of real world requests include characters that don't strictly conform to RFC. As a result, pursuing a strategy of only allowing requests that has strict conformance could pose an availability risk to some legitimate use-cases. With Desync Mitigation Mode, your ALB/CLB will provide durable security while maintaining the availability and performance of your application. To accomplish this, the load balancer will classify every request based on its threat level using an AWS Open Source library called HTTP Desync Guardian. You can then configure your load balancer and choose the appropriate mitigation strategy based on the security needs of your application. With this feature, your ALB or CLB will mitigate threats to your application from HTTP vulnerabilities both in front of the load balancer and behind it.

With Desync Mitigation Mode, customers can choose among three modes - “Defensive”, “Strictest”, and “Monitor”. In the “Defensive” mode, the load balancer will perform three specific tasks. First, it will allow your application to receive known safe requests irrespective of their RFC 7230 compliance. Second, it will block requests that are not RFC compliant and are known security threats. Third, it will close both the client and upstream connections irrespective of HTTP keep-alive limits for ambiguous requests. Ambiguous requests are requests that are not RFC 7230 compliant, and can cause Desync because they are subject to varying interpretations by different proxies or web-servers. The “Defensive” mode is chosen as your default as it provides a durable hands-free mitigation against HTTP Desync, while maintaining the availability of your application. You can opt into the “Strictest” mode if you need to ensure that your application only sees requests that are RFC 7230 compliant. Finally, you also have the flexibility to configure “Monitor” mode, if you want your load balancer to forward all requests it receives, regardless of classification, to the application behind it.

New or Affected Resource(s

• aws_elb
• aws_lb

Potential Terraform Configuration

resource "aws_lb" "lb_test" {
  desync_mitigation_mode = {monitor,defensive,strictest}
}

References

• https://aws.amazon.com/about-aws/whats-new/2020/08/application-and-classic-load-balancers-adding-defense-in-depth-with-introduction-of-desync-mitigation-mode/

• https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#desync-mitigation-mode

[roberth-k]

#14764

[github-actions]

This functionality has been released in v3.67.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.