Manipulating health-check endpoints or responses can cause healthy targets to be marked unavailable, leading to denial of service.
Networking / Loadbalancer / Threats / DEV
Health Checks Are Exploited to Take Services Offline
CCC.LB.TH05
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.LB.CP12 | Target Health Checks | Ability to continuously perform health checks on backend backend targets in form of checking the response to HTTP request, TCP connection or checking other application-specific parameter |
| CCC.LB.CP13 | Health Checks-based Target Removal | If the health check detects that a backend target is unhealthy the load balancer will remove that unhealthy target from its list of available backend instances. This ensures that traffic is no longer routed to the unhealthy target. |
Related Controls
| ID | Title | Description |
|---|---|---|
| CCC.LB.CN06 | Secure Health-Check Telemetry | Monitor health-check endpoints for tampering and alert on abnormal status changes. |