Marcin Nawrocki
Thomas C. Schmidt
Matthias Wählisch
ABSTRACT
In this paper, we present first measurements of Internet background radiation originating from the emerging transport protocol QUIC. Our analysis is based on the UCSD network telescope, correlated with active measurements. We find that research projects dominate the QUIC scanning ecosystem but also discover traffic from non-benign sources. We argue that although QUIC has been carefully designed to restrict reflective amplification attacks, the QUIC handshake is prone to resource exhaustion attacks, similar to TCP SYN floods. We confirm this conjecture by showing how this attack vector is already exploited in multi-vector attacks: On average, the Internet is exposed to four QUIC floods per hour and half of these attacks occur concurrently with other common attack types such as TCP/ICMP floods.
- Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding the Mirai Botnet. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 1093--1110.Google Scholar
Digital Library
- Eray Balkanli and A. Nur Zincir-Heywood. 2014. On the Analysis of Backscatter Traffic. In Proc. of IEEE LCN. IEEE, Piscataway, NJ, USA, 671--678.Google ScholarCross Ref
- Prasenjeet Biswal and Omprakash Gnawali. 2016. Does QUIC Make the Web Faster?. In Proc. of IEEE Global Communications Conference (GLOBECOM). IEEE Press, Piscataway, NJ, USA, 6 pages.Google ScholarDigital Library
- Norbert Blenn, Vincent Ghiëtte, and Christian Doerr. 2017. Quantifying the Spectrum of Denial-of-Service Attacks through Internet Backscatter. In Proc. of the 12th International Conference on Availability, Reliability and Security (Reggio Calabria, Italy) (ARES '17). ACM, New York, NY, USA, 10 pages.Google ScholarDigital Library
- CAIDA. 2012. The UCSD Network Telescope. http://www.caida.org/projects/network_telescope/ Last modified: January 29, 2018.Google Scholar
- Gaetano Carlucci, Luca De Cicco, and Saverio Mascolo. 2015. HTTP over UDP. In Proc. of the 30th Annual ACM Symposium on Applied Computing. ACM, New York, NY, USA, 6 pages.Google ScholarDigital Library
- Cloudflare. [n.d.]. What is a QUIC flood DDoS attack? QUIC and UDP floods. Blog. https://www.cloudflare.com/ko-kr/learning/ddos/what-is-a-quic-flood/ Last Access: May 2021.Google Scholar
- Quentin De Coninck and Olivier Bonaventure. 2017. Multipath QUIC. In Proc. of ACM CoNEXT. ACM, New York, NY, USA, 160--166.Google Scholar
- Sarah Cook, Bertrand Mathieu, Patrick Truong, and Isabelle Hamchaoui. 2017. QUIC: Better for what and for whom?. In Proc. of IEEE International Conference on Communications (ICC). IEEE Press, Piscataway, NJ, USA, 6 pages.Google ScholarCross Ref
- Yong Cui, Tianxiang Li, Cong Liu, Xingwei Wang, and Mirja Kühlewind. 2017. Innovating Transport with QUIC: Design Approaches and Research Challenges. IEEE Internet Computing 21, 2 (March 2017), 72--76.Google ScholarDigital Library
- W. Eddy. 2007. TCP SYN Flooding Attacks and Common Mitigations. RFC 4987. IETF.Google Scholar
- Jasper Eumann, Raphael Hiesgen, Thomas C. Schmidt, and Matthias Wählisch. 2019. A Reproducibility Study of "IP Spoofing Detection in Inter-Domain Traffic". Technical Report arXiv:1911.05164. Open Archive: arXiv.org. https://arxiv.org/abs/1911.05164Google Scholar
- Inc. F5. 2021. Our Roadmap for QUIC and HTTP/3 Support in NGINX. Website. https://www.nginx.com/blog/our-roadmap-quic-http-3-support-nginx/ Last Access September 2021.Google Scholar
- Facebook. 2020. How Facebook is bringing QUIC to billions. Engineering Blog. https://engineering.fb.com/2020/10/21/networking-traffic/how-facebook-is-bringing-quic-to-billions/ Last Acess May 2021.Google Scholar
- Osvaldo Fonseca, Ítalo Cunha, Elverton Fazzion, Wagner Meira, Brivaldo Junior, Ronaldo A. Ferreira, and Ethan Katz-Bassett. 2020. Tracking Down Sources of Spoofed IP Packets. In Proc. of IFIP Networking Conference. IEEE Press, Piscataway, NJ, USA, 208--216.Google Scholar
- Eva Gagliardi and Olivier Levillain. 2020. Analysis of QUIC Session Establishment and Its Implementations. In Information Security Theory and Practice. LNCS, Vol. 12024. Springer Nature, Switzerland, 169--184.Google Scholar
- A. Ghedini and V. Vasiliev. 2020. TLS Certificate Compression. RFC 8879. IETF.Google Scholar
- Google. [n.d.]. quiche. Github Repository. https://github.com/google/quiche/search?p=2&q=retry&type=commits Last Access: September 2021.Google Scholar
- Michio Honda, Yoshifumi Nishida, Costin Raiciu, Adam Greenhalgh, Mark Handley, and Hideyuki Tokuda. 2011. Is it still possible to extend TCP?. In Proc. of ACM IMC. ACM, New York, NY, USA, 181--194. Google ScholarDigital Library
- Christian Huitema. 2020. A simple test of DDOS attacks on QUIC. Blog. https://huitema.wordpress.com/2020/09/22/a-simple-test-of-ddos-attacks-on-quic/ Last Access May 2021.Google Scholar
- Facebook Incubator. [n.d.]. mvfst. Github Repository. https://github.com/facebookincubator/mvfst/search?p=2&q=retry&type=commits Last Access: September 2021.Google Scholar
- J. Iyengar and M. Thomson. 2021. QUIC: A UDP-Based Multiplexed and Secure Transport. RFC 9000. IETF. Google ScholarDigital Library
- Mattijs Jonker, Alistair King, Johannes Krupp, Christian Rossow, Anna Sperotto, and Alberto Dainotti. 2017. Millions of Targets under Attack: A Macroscopic Characterization of the DoS Ecosystem. In Proc. of ACM IMC (London, United Kingdom). ACM, New York, NY, USA, 100--113. Google ScholarDigital Library
- Arash Molavi Kakhki, Samuel Jero, David Choffnes, Cristina Nita-Rotaru, and Alan Mislove. 2017. Taking a long look at QUIC. An Approach for Rigorous Evaluation of Rapidly Evolving Transport Protocols. In Proc. of ACM IMC. ACM, New York, NY, USA, 290--303.Google Scholar
- Daniel Kopp, Christoph Dietzel, and Oliver Hohlfeld. 2021. DDoS Never Dies? An IXP Perspective on DDoS Amplification Attacks. In Passive and Active Measurement (LNCS, Vol. 12671). Springer Nature, Switzerland, 284--301.Google Scholar
- Adam Langley, Alistair Riddoch, Alyssa Wilk, Antonio Vicente, Charles Krasic, Dan Zhang, Fan Yang, Fedor Kouranov, Ian Swett, Janardhan Iyengar, Jeff Bailey, Jeremy Dorfman, Jim Roskind, Joanna Kulik, Patrik Westin, Raman Tenneti, Robbie Shade, Ryan Hamilton, Victor Vasiliev, Wan-Teh Chang, and Zhongyi Shi. 2017. The QUIC Transport Protocol. In Proc. of ACM SIGCOMM. ACM, New York, NY, USA, 183--196.Google ScholarDigital Library
- Franziska Lichtblau, Florian Streibelt, Thorben Krüger, Philipp Richter, and Anja Feldmann. 2017. Detection, Classification, and Analysis of Inter-Domain Traffic with Spoofed Source IP Addresses. In Proc. of ACM IMC (London, United Kingdom). ACM, New York, NY, USA, 86--99.Google ScholarDigital Library
- Robert Lychev, Samuel Jero, Alexandra Boldyreva, and Cristina Nita-Rotaru. 2015. How Secure and Quick is QUIC? Provable Security and Performance Analyses. In Proc. of IEEE Symposium on Security and Privacy. IEEE Press, Piscataway, NJ, USA, 214--231.Google ScholarDigital Library
- Diego Madariaga, Lucas Torrealba, Javier Madariaga, Javiera Bermúdez, and Javier Bustos-Jiménez. 2020. Analyzing the Adoption of QUIC From a Mobile Development Perspective. In Proc. of the SIGCOMM Workshop on the Evolution, Performance, and Interoperability of QUIC (EPIQ). ACM, New York, NY, USA, 35--41.Google ScholarDigital Library
- Patrick McManus. 2020. Does the QUIC handshake require compression to be fast? Fastly Blog. https://www.fastly.com/blog/quic-handshake-tls-compression-certificates-extension-study Last Access May 2021.Google Scholar
- Jelena Mirkovic and Peter Reiher. 2004. A Taxonomy of DDoS Attack and DDoS Defense Mechanisms. ACM Sigcomm Computer Communication Review 34, 2 (April 2004), 39--53.Google ScholarDigital Library
- David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, and Stefan Savage. 2006. Inferring Internet Denial-of-Service Activity. ACM Trans. Comput. Syst. 24, 2 (May 2006), 115--139.Google ScholarDigital Library
- David Moore, Colleen Shannon, and k claffy. 2002. Code-Red: A Case Study on the Spread and Victims of an Internet Worm. In Proc. of the 2nd ACM SIGCOMM Workshop on Internet Measurment. ACM, New York, NY, USA, 273--284.Google ScholarDigital Library
- Lucas Müller, Matthew Luckie, Bradley Huffaker, Kc Claffy, and Marinho Barcellos. 2019. Challenges in Inferring Spoofed Traffic at IXPs. In Proc. of ACM CoNEXT. ACM, New York, NY, USA, 96--109.Google ScholarDigital Library
- Marcin Nawrocki, Thomas C. Schmidt, and Matthias Wählisch. 2021. Industrial Control Protocols in the Internet Core: Dismantling Operational Practices. Wiley International Journal of Network Management (2021). Google ScholarDigital Library
- Nexusguard Reasearch. 2020. Could QUIC turn into the next most prevalent amplification attack vector? Nexusguard Blog. https://blog.nexusguard.com/could-quic-turn-into-the-next-most-prevalent-amplification-attack-vector Last Access September 2021.Google Scholar
- Maxime Piraux, Quentin De Coninck, and Olivier Bonaventure. 2018. Observing the Evolution of QUIC Implementations. In Proc. of the Workshop on the Evolution, Performance, and Interoperability of QUIC (EPIQ). ACM, New York, NY, USA, 8--14.Google ScholarDigital Library
- Philipp Richter and Arthur Berger. 2019. Scanning the Scanners: Sensing the Internet from a Massively Distributed Network Telescope. In Proc. of ACM IMC (Amsterdam, Netherlands). ACM, New York, NY, USA, 144--157.Google ScholarDigital Library
- Christian Rossow. 2014. Amplification Hell: Revisiting Network Protocols for DDoS Abuse. In Proc. of NDSS. Internet Society, 15 pages.Google ScholarCross Ref
- Jan Rüth, Ingmar Poese, Christoph Dietzel, and Oliver Hohlfeld. 2018. A First Look at QUIC in the Wild. In Passive and Active Measurement (LNCS, Vol. 10771). Springer Nature, Switzerland, 255--268.Google ScholarCross Ref
- Fabrice J. Ryba, Matthew Orlinski, Matthias Wählisch, Christian Rossow, and Thomas C. Schmidt. 2015. Amplification and DRDoS Attack Defense - A Survey and New Perspectives. Technical Report arXiv:1505.07892. Open Archive: arXiv.org. http://arxiv.org/abs/1505.07892Google Scholar
- Marten Seeman. 2021. QUIC Interop Runner. Blog. https://interop.seemann.io/?test=s Last Access September 2021.Google Scholar
- Jean-Pierre Smith, Prateek Mittal, and Adrian Perrig. 2021. Website Fingerprinting in the Age of QUIC. Proc. Priv. Enhancing Technol. 2021, 2 (2021), 48--69.Google ScholarCross Ref
- Avast Software s.r.o. 2020. The return of the Mirai botnet. https://blog.avast.com/return-of-mirai-botnet-avast.Google Scholar
- Martino Trevisan, Danilo Giordano, Idilio Drago, Maurizio Matteo Munafò, and Marco Mellia. 2020. Five Years at the Edge: Watching Internet From the ISP Network. IEEE/ACM Transactions on Networking 28, 2 (2020), 561--574.Google ScholarDigital Library
Index Terms
- QUICsand: quantifying QUIC reconnaissance scans and DoS flooding events
Recommendations
A framework to mitigate ARP sniffing attacks by cache poisoning
Today in the digital era of computing, most of the network attacks are caused by sniffing the sensitive data over the network. Among various types of sniffing attacks, ARP sniffing causes most of the LAN attacks wired and wireless LAN coexist. ARP ...
Evaluating TCP-friendliness in light of Concurrent Multipath Transfer
In prior work, a CMT protocol using SCTP multihoming (termed SCTP-based CMT) was proposed and investigated for improving application throughput. SCTP-based CMT was studied in (bottleneck-independent) wired networking scenarios with ns-2 simulations. ...
TCP CERL: congestion control enhancement over wireless networks
In this paper, we propose and verify a modified version of TCP Reno that we call TCP Congestion Control Enhancement for Random Loss (CERL). We compare the performance of TCP CERL, using simulations conducted in ns-2, to the following other TCP variants: ...
Comments