Cookie の設定を選択する

当社は、当社のサイトおよびサービスを提供するために必要な必須 Cookie および類似のツールを使用しています。当社は、パフォーマンス Cookie を使用して匿名の統計情報を収集することで、お客様が当社のサイトをどのように利用しているかを把握し、改善に役立てています。必須 Cookie は無効化できませんが、[カスタマイズ] または [拒否] をクリックしてパフォーマンス Cookie を拒否することはできます。

お客様が同意した場合、AWS および承認された第三者は、Cookie を使用して便利なサイト機能を提供したり、お客様の選択を記憶したり、関連する広告を含む関連コンテンツを表示したりします。すべての必須ではない Cookie を受け入れるか拒否するには、[受け入れる] または [拒否] をクリックしてください。より詳細な選択を行うには、[カスタマイズ] をクリックしてください。

設定
お問い合わせ
フィードバック
AWS Documentation
今すぐ無料サインアップ »

Configure desync mitigation mode for your Classic Load Balancer

PDF
RSS
フォーカスモード
Configure desync mitigation mode for your Classic Load Balancer - Elastic Load Balancing
ClassificationsModesModify desync mitigation mode
このページはお客様の言語に翻訳されていません。 翻訳のリクエスト

Desync mitigation mode protects your application from issues due to HTTP Desync. The load balancer classifies each request based on its threat level, allows safe requests, and then mitigates risk as specified by the mitigation mode that you specify. The desync mitigation modes are monitor, defensive, and strictest. The default is the defensive mode, which provides durable mitigation against HTTP desync while maintaining the availability of your application. You can switch to strictest mode to ensure that your application receives only requests that comply with RFC 7230.

The http_desync_guardian library analyzes HTTP requests to prevent HTTP Desync attacks. For more information, see HTTP Desync Guardian on github.

Tip

This configuration applies only to Classic Load Balancers. For information that applies to Application Load Balancers, see Desync mitigation mode for Application Load Balancers.

Classifications

The classifications are as follows.

  • Compliant — Request complies with RFC 7230 and poses no known security threats.

  • Acceptable — Request does not comply with RFC 7230 but poses no known security threats.

  • Ambiguous — Request does not comply with RFC 7230 but poses a risk, as various web servers and proxies could handle it differently.

  • Severe — Request poses a high security risk. The load balancer blocks the request, serves a 400 response to the client, and closes the client connection.

The following lists describe the issues for each classification.

Acceptable

  • A header contains a non-ASCII or control character.

  • The request version contains a bad value.

  • There is a Content-Length header with a value of 0 for a GET or HEAD request.

  • The request URI contains a space that is not URL encoded.

Ambiguous

  • The request URI contains control characters.

  • The request contains both a Transfer-Encoding header and a Content-Length header.

  • There are multiple Content-Length headers with the same value.

  • A header is empty or there is a line with only spaces.

  • There is a header that can be normalized to Transfer-Encoding or Content-Length using common text normalization techniques.

  • There is a Content-Length header for a GET or HEAD request.

  • There is a Transfer-Encoding header for a GET or HEAD request.

Severe

  • The request URI contains a null character or carriage return.

  • The Content-Length header contains a value that cannot be parsed or is not a valid number.

  • A header contains a null character or carriage return.

  • The Transfer-Encoding header contains a bad value.

  • The request method is malformed.

  • The request version is malformed.

  • There are multiple Content-Length headers with different values.

  • There are multiple Transfer-Encoding: chunked headers.

If a request does not comply with RFC 7230, the load balancer increments the DesyncMitigationMode_NonCompliant_Request_Count metric. For more information, see Classic Load Balancer metrics.

Modes

The following table describes how Classic Load Balancers treat requests based on mode and classification.

Classification Monitor mode Defensive mode Strictest mode
Compliant Allowed Allowed Allowed
Acceptable Allowed Allowed Blocked
Ambiguous Allowed Allowed¹ Blocked
Severe Allowed Blocked Blocked

¹ Routes the requests but closes the client and target connections.

Modify desync mitigation mode

To update desync mitigation mode using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the navigation pane, under Load Balancing, choose Load Balancers.

  3. Choose the name of the load balancer to open its detail page.

  4. On the Attributes tab, choose Edit.

  5. On the Edit load balancer attributes page, under Traffic configuration, choose Defensive - recommended, Strictest, or Monitor.

  6. Choose Save changes.

To update desync mitigation mode using the AWS CLI

Use the modify-load-balancer-attributes command with the elb.http.desyncmitigationmode attribute set to monitor, defensive, or strictest.

aws elb modify-load-balancer-attributes --load-balancer-name my-load-balancer --load-balancer-attributes file://attribute.json

The following is the contents of attribute.json.

{
    "AdditionalAttributes": [
        {
            "Key": "elb.http.desyncmitigationmode",
            "Value": "strictest"
        }
    ]
}

このページの内容

プライバシーサイト規約Cookie の設定
© 2025, Amazon Web Services, Inc. or its affiliates.All rights reserved.