Check provider logo

Classic Load Balancer desync mitigation mode is defensive or strictest

elb_desync_mitigation_mode

Severitymedium
Serviceelb
by Prowler

Classic Load Balancer desync_mitigation_mode is evaluated to determine whether it is configured as defensive or strictest. Any other mode (such as monitor) is identified for attention.

Risk

Without strict desync mitigation, HTTP request smuggling can occur, enabling:

  • Cache/queue poisoning (integrity)
  • Session hijacking and data exposure (confidentiality)
  • Unintended backend actions and abuse (availability)
Run this check with Prowler CLI

prowler aws --checks elb_desync_mitigation_mode

Run in Prowler Cloud

Recommendation

Set CLB desync mitigation to defensive or, where compatible, strictest. Validate in staging to avoid client breakage. Apply defense in depth: enforce strict header handling, pair with WAF controls, and monitor non-compliant request indicators.

Remediation

CLI

aws elb modify-load-balancer-attributes --load-balancer-name <load-balancer-name> --load-balancer-attributes '{"AdditionalAttributes":[{"Key":"elb.http.desyncmitigationmode","Value":"defensive"}]}'

Terraform
Other
  1. Open the AWS Management Console and go to EC2
  2. Under Load Balancing, select Load Balancers
  3. Select your Classic Load Balancer
  4. On the Attributes tab, click Edit
  5. Set Desync mitigation mode to Defensive or Strictest
  6. Click Save changes

Source Code

Resource Type

AwsElbLoadBalancer

References