October 19, 2020

Could “QUIC” turn into the next most prevalent amplification attack vector?

Today, we use the Internet for so many different activities that it has become a necessity in our daily lives. The Domain Name Server (DNS) powered Internet allows us to shop online, pay bills, manage our money, download music, games, and the like. As more and more services rely on the Internet, DNS is increasingly important. However, such reliance opens up the possibility for abuse. From Domain Hijacking and DNS spoofing to DDoS attacks, DNS is no stranger to being attacked or worst still, being a potent attack vector.
Over the last few years, DNS Amplification has become the largest source of amplification attacks. Based on our attack data analysis, 9,719 attack cases were recorded in 2020 Q2, which is a 63% increase compared to the same period last year.

It’s easy to see why attackers would use DNS as an attack vector - DNS is a cornerstone of the Internet that translates domain names into corresponding IP addresses, while DNS queries and responses are UDP based, and domain data is readily available to anyone on the Internet. Furthermore, the amplification factor for DNS is 179X according to US-CERT.

QUIC (Quick UDP Internet Connections), a relatively new internet protocol, can be likened to DNS in that it is expected to have a huge presence online, especially since it is a more efficient and faster protocol than TCP-based HTTP with built-in security, and is already used for popular websites and apps such as Facebook, Uber and Youtube. Concerningly, as with many other Internet protocols, QUIC can also be used maliciously to launch amplification attacks - and given the growing popularity of its adoption to drive next-generation applications, QUIC, in a similar vein to DNS, could also potentially be used as an attack vector.


How QUIC can be abused

QUIC, technically still in its draft phase, was developed by Google to reduce latency compared to that of TCP. In a QUIC reflection attack, perpetrators spoof the victim's IP address and request information from several servers. When the servers respond, all the information is directed to the victim instead of the perpetrator. Because QUIC is developed in combination with UDP and TLS encryption, the server’s first reply message that contains its TLS certificate becomes much larger than the client's initial message. It is this characteristic of QUIC that allows perpetrators to trick a server into directing large quantities of unwelcome data to an unwitting third party victim.



Methods of Protecting QUIC

One suggested protection method is to enforce the initial QUIC packet to fulfill a specific minimum length, unique connection ID and off fragment bit. However, this only has the effect of protecting the QUIC server. Another highly recommended method is to deploy source address validation using stateless retries through “Retry Packets”, which effectively averts large response packets in the initial stage. In order to benefit the most from this method, it is critical that the Retry Packets are correctly defined to prevent the QUIC server sending multiple Retry Packets in response to a client handshake packet. Although the utilization of stateless retries will increase the initial handshake duration slightly, this method could significantly help safeguard against reflection attacks.


Mitigating QUIC Reflection Attacks at Nexusguard

Since QUIC is still an experimental protocol, it is imperative to implement security and protection measures to defend against DDoS attacks during the draft stage when developing web applications using QUIC. Through the attentive analysis of attack patterns and years of DDoS fighting experience, Nexusguard is adept at identifying and mitigating various attacks including memcached reflection attacks and DNSSEC amplification attacks, quickly and efficiently. Moreover, Nexusguard’s DDoS threat research on attack data from botnet scanning, honeypots, CSPs and traffic moving between attackers and target QUIC servers ensures that illegitimate source traffic is dropped instantly, and that threat reputation lists are constantly kept up-to-date.


Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.