Jonas Mücke: A QUICker Internet? (Christmas Lecture)

A QUICker Internet? On pitfalls, attacks, and discovering hypergiant infrastructures with QUIC

Quick UDP Internet Connections (QUIC) is a new transport protocol built on top of UDP. It reduces latency by including TLS negotiations into its handshake. While this standardized approach can significantly decrease latency, we find suboptimal handshake behavior for most QUIC-supporting websites in the Tranco Top 1M list.

The IETF designed QUIC to be unattractive for amplification attacks by limiting the initial return payloads in its RFC. We find that large certificates and optimizations for RTT estimates are the main reasons for non-RFC-compliant amplifications before client address validation. This also often causes multiple round trip times instead of the promised 1-RTT handshake to establish an encrypted connection. We find that certificate compression, the use of ECDSA over RSA, and packet coalescence can significantly improve the present  situation.

Further, we observe Internet Background Radiation (IBR) in the /9 CAIDA network telescope. While IBR is mainly caused by scanning traffic, QUIC resource exhaustion attacks--similar to TCP SYN floods--become visible. Often, QUIC attacks are combined with attacks capitalizing other protocols. The collected data additionally allows detailed observations on hypergiant deployments. From solely passive measurements, we can infer retransmission timeouts and the maximum number of retransmissions per hypergiant. Packet features such as Server connection IDs, packet coalescence, and typical packet lengths allow the identification of hypergiant off-net servers. The server connection IDs open detailed insights into the load balancer deployment and load balancing fairness at Meta.