A Survey On The Security Issues of QUIC

Download as pdf or txt
Download as pdf or txt
You are on page 1of 8

A Survey on the Security Issues of QUIC

Y A Joarder Carol Fung


Concordia Institute for Information Concordia Institute for Information
Systems Engineering (CIISE) Systems Engineering (CIISE)
Concordia University Concordia University
Montreal, Canada Montreal, Canada
y [email protected] [email protected]

Abstract—A newly established multiplexed network pro- the standardized QUIC protocol as RFC 9000 in May
tocol – QUIC, which is based on User Datagram Protocol 2021 [8]. At around the same time, RFC 9001 [9] was
2022 6th Cyber Security in Networking Conference (CSNet) | 979-8-3503-9722-2/22/$31.00 ©2022 IEEE | DOI: 10.1109/CSNET56116.2022.9955622

(UDP), has emerged in recent years and gained a large released that standardizes how TLS 1.3 functions as a
share of Internet traffic quickly. Initially proposed by
Google, the goal of QUIC is to achieve a higher Internet security component of QUIC protocol. It is worth noting
communication performance and eventually replace the that HTTP/3 [10] connections can only be established
Transmission Control Protocol (TCP) + Transport Layer using QUIC. It is developed as a better substitute for
Security (TLS) + HTTP/2 architecture. In particular, the Transmission Control Protocol (TCP) [8]. It has multiple
3rd version of the Hypertext Transfer Protocol – HTTP/3.0 unique or pioneer characteristics that surpass TCP in
is built on top of QUIC. A good number of research papers
have been published recently to evaluate the performance various areas theoretically. For instance, it offers a 0-
and security of the QUIC protocol. In this paper, we Round Trip Time (0-RTT) handshake mechanism to re-
conduct a comprehensive survey on the QUIC security duce handshake latency [11]. Although the same feature
issues and analyze its future research directions regarding is possible in TCP by combining the use of TCP Fast
security prospective. We investigate several topics including Option (TFO) and 0-RTT (early data) in TLS 1.3, recent
the QUIC protocol structure, QUIC security model, secu-
rity issues related to QUIC protocol, and future research version of QUIC is superior to TFO regarding security
directions on QUIC Security. To the best of our knowledge, aspect of 0-RTT handshake mechanism [12]. Since the 0-
it is the one of first surveys that focus on the security of RTT feature was initiated by QUIC and it is performing
the QUIC protocol. better in QUIC architecture compared to the TFO, we
Index Terms—QUIC, Survey, TLS, Network Security, can consider 0-RTT to be a pioneer feature of QUIC.
HTTP/3, Network Protocol, Transport Layer Protocol,
TCP, UDP, Vulnerabilities By using multiplexing approach, it also overcomes HOL
blocking issue, which is one of the major problems
I. I NTRODUCTION of TCP. For being mobility-friendly and responsive, it
In recent years, a contemporary general-purpose, re- has connection migration feature as well [13]. Note that
liable, latency reducing, connection-oriented and secure connection migration feature stands for switching from
transport layer network protocol: QUIC [1] has emerged one type of network to another type of network. For
and has gained popularity quickly. It is now the default example, switching from Local Area Network (LAN)
transport layer encrypted protocol for the majority of connection to Wide Area Network (WAN) connection.
well-known applications, including Facebook, Gmail, There are already a number of QUIC implementations in
Instagram, Google Chrome, and YouTube [2]. Interest- use, some of these use gQUIC and others QUIC. gQUIC
ingly, from the operating system perspective, it looks like is still used by about 8% of the top 10 million lead-
an application layer protocol that behaves like a transport ing websites, according to latest assessments on those
layer network protocol. The QUIC protocol’s primary sites [14]. In contract, approximately 25% of websites
goals are to increase Internet traffic’s speed and reduce worldwide presently use HTTP/3 over QUIC [15]. More
latency by decreasing connection establishment duration than 75% of internet traffic of Facebook uses QUIC and
[3], multiplex without Head-of-Line (HOL) blocking [4], HTTP/3 by October 2020 [16].
and provide invariably-encrypted edge-to-edge security In spite of a de novo design brought higher
[5]. In 2012, Google first introduced a new transport performance to QUIC, security loopholes still exist.
layer network protocol built on User Datagram Protocol QUIC cannot perform according to its potentiality in
(UDP) titled “gQUIC”, to address the web traffic perfor- real world. As a result, every now and then, cyber
mance issues at that time [6], [7]. In 2016, the Internet attackers contravene QUIC protocol’s security [5]. Large
Engineering Task Force (IETF) formed a research group Technological Organizations, Internet Content Providers
to enlarge and standardize QUIC. The effort led to (ICPs), and other businesses are increasingly embracing

Authorized licensed use limited to: SICHUAN UNIVERSITY. Downloaded on January 26,2024 at 07:08:56 UTC from IEEE Xplore. Restrictions apply.
QUIC, making it a desirable target for malicious Connection ID is used identify a connection. The QUIC
attackers. Thus, analyzing and enumerating security connection created in the one (original) network can be
issues and threats of QUIC on existing network services easily moved to a new network, so that the network
is completely vital. A lot of research works have been service won’t be disrupted when the user switches their
conducted and published in the literature regarding the network. It is particularly useful for handover process in
security issues around QUIC [5], [17], [18], [19], [20], cellular networks or WiFi networks. Figure 1 illustrates
[21]. Unfortunately, there is still a lack of a pervasive the architectural view of the QUIC protocol.
inspection in the pertinent literature on QUIC security.
In this paper, we aim at filling the gap and conduct a
comprehensive survey on the QUIC protocol’s security
related issues that have been published so far.

Contributions: In this paper, we introduce the essen-


tial features of QUIC and its development history. We
also provide security analysis on QUIC, including the
security model, security issues, and types of security
threats. Finally, we discusses probable future research
directions for QUIC security related challenges. The con-
tributions of this paper can be summarized as follows:
● To fully comprehend the QUIC protocol’s opera-
tional principles
● To analysis the QUIC protocol’s security model
Fig. 1: Architecture of the QUIC protocol
● To identify all the existing security issues and
threats of QUIC protocol B. Protocol Characteristics of QUIC
● To vision the directions of future research on prob- The two most significant new features of QUIC,
lems related to QUIC security compared to TCP, are capability for multiplexing on a
The rest of the paper is structured as follows. Section single connection and reduced handshake latency.
II describes synopsis of QUIC protocol. Section III
presents security analysis of QUIC. Section IV provides 1) Multiplexing Overview: Multiplexing competency
the discussion and our vision of future research scopes allows QUIC to circumvent TCP’s Head-of-Line (HOL)
on QUIC security. Finally, Section V concludes the blocking issue [23]. As illustrated in Figure 2, TCP
paper. connection maintains a First In First Out (FIFO)
channel, which requires the receiver to strictly follow
II. S YNOPSIS OF QUIC P ROTOCOL the order of the sender while processing the received
In this section, we will succinctly introduce overall op- data. As shown in the example (in Figure 2), the client
erational principles (synopsis) of QUIC protocol, includ- transmits to the server packets 3 and 4 . If packet 4
ing the architecture, protocol characteristics, connection comes before packet 3, the Upper Layer Application
establishment process, and packet structure. will hold on the processing of packet 4 until packet 3
is received. This delayed is called HOL blocking [24],
A. Architecture of QUIC Protocol [25] in TCP.
QUIC exploits the operating system’s UDP (User
Datagram Protocol) socket downstream to give applica-
tion layer protocols (e.g., HTTP/3) a dependable and se-
cure transmission channel. Although the implementation
is based on UDP, which is a transport layer protocol,
QUIC does not rely on UDP’s features in its protocol
design and does not use UDP ports to indicate a transport Fig. 2: Singleplexing in TCP
layer connection. Since QUIC builds upon UDP at the QUIC can fix the HOL blocking issue by adding
transport layer, which is the reason that it has been often capability for multiplexing on a transport layer connec-
described as a transport layer protocol [1], [22]. tion. Figure 3 shows the multiplexing mechanism in
The TCP/IP network uses five tuples: source port, QUIC. Under the transport layer connection, the idea
destination port, protocol, source IP addresses and des- of stream is introduced. Multiple streams can be present
tination IP addresses, to uniquely identify a connection. over one QUIC connection; however, these streams are
In QUIC protocol, a globally unique randomly generated independent of one another and each assures the FIFO

Authorized licensed use limited to: SICHUAN UNIVERSITY. Downloaded on January 26,2024 at 07:08:56 UTC from IEEE Xplore. Restrictions apply.
which contains a TLS 1.3 “Client Hello” message. The
initial packet, which includes TLS “Server Hello”, is
then returned by the server. A handshake packet made
up of certificates, encrypted extensions, and other TLS
server communications comes next. A message from the
client is delivered after the handshake. Using 1-RTT
Fig. 3: Multiplexing in QUIC packets, application data can now be sent.

D. Packet Structure of QUIC


order. From this perspective, “Flow” in QUIC is similar
to “connection” in TCP because both terms are used Each QUIC packet contains two main sections:
for FIFO communication channel. In QUIC, however, “Header” and “Payload”. The header portion of a packet
many flows exchange connection information. By using contains the data necessary to make sure the data reaches
a single QUIC connection for numerous streams instead the desired destination. The payload portion of a packet
of many TCP connections, multiplexing is accomplished includes the data that the packet is intended to deliver.
while also conserving system compatibility. The Header section of QUIC can be long or short
2) Handshaking Mechanism: QUIC developed its depending on the scenario, which is one of the major
own handshake protocol and outperformed TCP+TLS in differences between QUIC and TCP. Until both 1-RTT
terms of handshake latency. Transport Layer Security is packet protection and version negotiation are finished,
referred to as TLS [26], [27]. To guarantee data security, long header packets are utilised for the first exchange.
it employs both Asymmetric and Symmetric Encryption. The majority of data is carried via short header packets.
Figure 5 represent Long and Short Header Packets
The Diffie-Hellman algorithm or the RSA algorithm successively. A 1-RTT “Protected Payload” is always
completes the handshake protocol in TLS1.2. In RSA included in packets with a short header.
algorithm, the handshake requires 2 Round Trip Times III. S ECURITY A NALYSIS OF QUIC
(2-RTTs); because, at first the two parties (client and
server) exchange their respective RSA public keys As a novel transport layer network protocol, QUIC has
before sending a freshly created shared key using attracted much attention in research recently, including
RSA Encryption. On the other hand, TLS1.3 uses only the evaluations on its security features. We can divide
Diffie-Hellman Algorithm for key exchange. them into 3 major categories: 1) 0-RTT Handshake and
Forward Security 2) QUIC’s Security Model 3) Security
The RTT distinction between TCP (TCP+TLS 1.2 and Threats of QUIC. Each category is elaborated in the
TCP+TLS 1.3) and QUIC Handshake RTT is depicted following subsections.
in Figure 4a. For TCP+TLS 1.2, a minimum of 3-RTTs
A. 0-RTT Handshake and Forward Security
must pass during the handshake between the client and
the server, including 1-RTT for the TCP handshake and An important security feature of communication pro-
2-RTTs for the TLS handshake. The RTT handshake tocols is forward security, which prevents the disclosure
for TCP+TLS1.3 protocol is reduced to 2-RTT. QUIC of earlier session keys in the event where the long-
has further optimized RTT handshake . It allows TLS term master key is compromised [28]. Both TLS1.3
Handshakes to take place in parallel with a transport of QUIC and TLS1.2’s 1-RTT handshake effectively
layer handshake, which reduced the delay to 1-RTT. provide Forward Security feature. However, the QUIC
Therefore, This handshake of QUIC is referred to as a TLS1.3 0-RTT handshake, is unable to offer forward
1-RTT Handshake. If the client has previously connected security from both communicating parties [5]. This is
to the server, the shared key will be reused and the due to the fact that the initial session key, which is
client can immediately connect. In other words, data utilized in the 0-RTT communication process, is pro-
transfer does not need to wait for the handshake to be duced in accordance with the server’s static configura-
finished. This procedure of QUIC is called as 0-RTT. tion. The key leading to 0-RTT will also be exposed
It dramatically minimizes the client’s handshake latency, if the configuration is compromised in the future. It is
which can greatly enhance the communication efficiency. a great security concern of QUIC protocol. To address
this issue, Günther et al. [29] modified the server side of
C. Connection Establishment Process in QUIC QUIC’s 0-RTT handshake to provide forward security.
In QUIC, the handshake procedure is used to establish The authors employed a unique key design. The current
the first connection. Figure 4b represents the QUIC’s key is changed each time whenever the server decrypts
handshake process in details. The client sends the server the ciphertext, and the new key can be interpreted as the
an initial packet at the beginning of the connection, original key. This way forward security is guaranteed

Authorized licensed use limited to: SICHUAN UNIVERSITY. Downloaded on January 26,2024 at 07:08:56 UTC from IEEE Xplore. Restrictions apply.
(a)
(b)
Fig. 4: (a) TCP and QUIC Handshake Latency illustration (b) QUIC’s Handshake Procedure
avoided the security flaws in TLS1.2 and is no longer
vulnerable to similar attacks.

C. Security Threats of QUIC


Although QUIC assures the data communication se-
curity, attackers can still obstruct regular communication
between two parties. This subsection goes over different
Fig. 5: Long and Short Header Packet Structure of QUIC types of security threats of QUIC protocol.
1) QUIC Reflection DDoS attack: an attacker can
since the parsed ciphertext cannot be reverse-encrypted
launch a QUIC flood Distributed Denial-of-Service
or decrypted. QUIC protocol will also no longer be
(DDoS) attack [17] to overwhelm the targeted server via
susceptible to Replay Attacks as a result of this design.
QUIC. When the attack traffic volume is high, the victim
service slows down and impacts authorized users. As
B. QUIC’s Security Model
QUIC is based on UDP, which provides little sender’s
Fischlin et. al. [30] used a multi-stage key exchange information to the receiver. As a result, DDoS attacks
model to demonstrate the security flaws in QUIC’s hand- through QUIC are challenging issues. QUIC protocol is
shake, where the security of the QUIC protocol cannot be especially vulnerable to Reflection-based DDoS attacks.
guaranteed even if both communicating parties employ A QUIC Reflection DDoS attack involves spoofing the
a safe encryption protocol that includes an authentica- victim’s IP address and send queries to many servers.
tion mechanism for Data Encryption. To address this Responses by the servers go to the victim rather than the
issue, the authors suggested QUICi, a key-independent offender. As QUIC was created in conjunction with TCP
version, which is capable of conforming to their security and TLS encryption, the first reply message contains its
paradigm. QUICi implements a more sophisticated key TLS certificate and is significantly larger than the query
generation technique to improve security. Afterwards, message from the client, which makes it possible for
Lychev et. al. [5] performed an extensive investigation attackers to utilize third-party servers to send a huge
on the security of QUIC. They introduced the Quick amount of unwanted traffic to an victim.
Communication (QC) protocol to define the utilization 2) Handshake Denial of Service: QUIC offers
of the initial session key before the final session key is authenticated and Encrypted transport [13] to remove
created for the 0-RTT handshake. The QACCE (Quick spoofed traffic. The majority of unauthenticated packets
Authenticated And Confidential Channel Establishment) are often discarded by QUIC endpoints through
model is used to demonstrate the security of the QUIC handshakes, which prevents attackers from tampering
connection formation procedure and the Data Encryption active connections. QUIC endpoints may accept some
Transmission mechanism. To address the forward secu- unauthenticated ICMP packets after a connection
rity issue of QUIC’s 0-RTT Handshake, Jager et. al. [31] has been made. However, their impact is limited.
proposed the Bleichenbacher Attack to quickly guess the An alternative packet type that an endpoint may
server’s secret key in TLS1.2, compromising the security acknowledge is a stateless reset, which depends on
of the protocol [32]. By adopting PKCS#1 v1.5, QUIC the token’s confidentiality. QUIC only offers defense

Authorized licensed use limited to: SICHUAN UNIVERSITY. Downloaded on January 26,2024 at 07:08:56 UTC from IEEE Xplore. Restrictions apply.
against attacks coming from outside the network where 6) Spoofed ACK Attack: Iyengar, et al. [13] presented
a connection is established. There is a proof that the a severe security loophole of QUIC where an attacker
recipient saw a previous packet from its peer is included may get an address validation token from the server
in every QUIC packet. However, The available defenses and subsequently divulge the IP address used to get
aren’t meant to be useful against an attacker who can the token. The attacker may spoof this IP address to
catch QUIC packets before the connection is made. connect to a server using a 0-RTT connection disguised
as the victim. The server will then transfer an excessive
QUIC is susceptible to a number of security threats, quantity of data to the IP address, which allows the
according to [5]. These attacks are separated into attacker to spoof ACK frames to the server.
two categories: online attacks and offline attacks 7) Stream Fragmentation and Reassembly Attacks:
depending on whether the attacker is on the network As Iyengar, et al. mentioned in [13], to generate ex-
path connecting the client and the server. cessive receive buffer memory commitment and/or the
formation of a big, inefficient data structure, an adver-
sarial sender may purposefully broadcast stream data
3) Online Attacks: As mentioned by Li, et al. [11],
fragments. In order to force the sender to hold the
an attacker can make both parties (client and server)
unacknowledged stream data for re-transmission, an ad-
in the communication believe that the connection has
versarial receiver may purposefully fail to acknowledge
been successful for a long period of time by tampering
packets carrying stream data.
with the connection ID used by the client during the
handshake process. However, they are unable to analyze 8) Cache Poisoning Attacks: It is a cyber attack in
the received data normally. As a result, the connection which perpetrators inject false data into a web cache or
drop is taken place. The attacker can also tamper with the DNS cache with the intent of damaging users [35].
the source-address token [11] in a manner similar to the Cache poisoning attacks against HTTP-based implemen-
connection ID tampering attack, preventing both parties tations,like QUIC, are immensely troublesome [36].
from parsing the data packets that the other side has 9) Slowloris Attacks: Slowloris attacks [13] can be
received. The connection is seen as successful within carried out against a QUIC endpoint by producing the
the first a few seconds before being aggressively cut off. bare minimum of activities required to prevent it from
being shut down for inactivity. They aim to maintain as
4) Offline Attacks: Li, et al. [11] described a server many connections open as possible to the target destina-
configuration repeated attack, which is similar to TCP tion, by sending sparse quantities of data, progressively
reset injection [33]. In this attack, the attacker sniffs the opening flow control windows to regulate the sender rate,
server’s configuration information and use that knowl- or creating ACK frames that imitate a high loss rate.
edge together with a cloak of the server’s IP address 10) Explicit Congestion Notification Attacks: Another
to transmit reset packet to the client, which resets the major security threat for QUIC protocol is explicit con-
QUIC connection. Iyengar, et al. [13] also described gestion notification Attacks [13]. In order to affect the
that a stateless resets can lead to a DoS attack. This sender’s rate, an on-path attacker can change the value
attack is available if an attacker can make a connection of Explicit Congestion Notification (ECN) code points in
with a certain connection ID with a stateless reset token. the IP header. To alter the sender’s rate, an on-the-side
An attacker who produces this token can reset a open attacker can copy and transmit packets with altered ECN
connection with the same connection ID. codepoints. An off-path attacker will need to race the
QUIC is unable to offer an efficient way to stop both duplicate packet against the original in order to succeed
online and offline attackers from disrupting a QUIC in this attack if a recipient discards duplicate packets.
connection. It can cause both parties’ connections to 11) Optimistic ACK Attack: In an optimistic ACK
go inactive for a while, which can be used by online attack [13], a congestion controller could allow trans-
attackers to delay detection. Both communication parties mission at rates that are higher than what the network
are able to identify it. It takes little connection-related can handle because an endpoint recognizes packets it
knowledge for an attacker to break a QUIC connection. has not received. In order to identify this behavior, an
5) Reflective Amplification Attack and State Exhaus- endpoint can omit packet numbers while transmitting
tion Attack: In 2021, Nawrocki, et al. [17] described a packets. Once this happens, an endpoint has the option
security loophole in QUIC’s Handshake protocol. During to instantly terminate the connection with a PROTO-
the first round-trip, the server responds to an unverified COL VIOLATION connection error [37].
source. As a result, the attacker can easily establish Re- 12) Firewall Negligence Issue: Firewalls often offer
flective Amplification Attack [17] and State Exhaustion a variety of options when handling HTTP/HTTPS traffic
Attack [34]. The responding to unverified source issue [38]. When web traffic is discovered by a firewall, it of-
is a vital security weakness of QUIC protocol. ten goes via a web protection module that runs extensive

Authorized licensed use limited to: SICHUAN UNIVERSITY. Downloaded on January 26,2024 at 07:08:56 UTC from IEEE Xplore. Restrictions apply.
checks using deep packet inspection and web filtering. of increasing QUIC traffic has left TCP less and less
Firewalls, these days, can provide a lot of information, bandwidth to use. However, will it completely take over
including enhanced reporting and malware scanning. TCP in bandwidth competition? We could answer this
However, the majority firewalls do not recognize QUIC question by investigating the competition between QUIC
traffic as web traffic [2]. QUIC packets do not receive and TCP when the bandwidth shares changes. Through
the same amount of inspection and logging. This raises studying the cost and benefit of adopting QUIC, we can
serious security issues with consequences such as not make a prediction on the future of QUIC.
being able to limit access to websites or turning on safe 4) Cache Poisoning Attacks against QUIC: Cache
search on Google. poisoning attacks (DNS, web and so on) against HTTP-
13) Recent Explored Attacks: Chatzoglou, et al. [43] based implementations can be very problematic. How-
categorized overall security related attacks on QUIC ever, no study has yet looked at similar attacks against
into five types: Cryptographic Attacks, Handshake At- QUIC. Future research can study cache poisoning threats
tacks, Privacy Attacks, Fuzzing Attacks, and Trans- in such infrastructures because QUIC is implemented in
port Layer Attacks. They found some new issues of many proxies and load balancers.
QUIC protocol after deploying QUIC, including QUIC- 5) Guarantee Mechanisms to QUIC Connections: As
downgrade, QUIC-out-of-joint, QUIC-fuzz, QUIC-loris, we described in the last section, QUIC connections are
QUIC-flooding and QUIC-encapsulation. They men- accessible by online or offline attackers. To better iden-
tioned a future potential research challenge of QUIC tify malicious attacker’s actions and enhance connection
is “QUIC-focused fuzzer”. To find setup errors in the security, we can investigate how to improve the protocol
several QUIC implementations, a stateful QUIC fuzzer to provide additional guarantee mechanisms to QUIC
can be helpful. Table I shows an overall taxonomy on connections.
QUIC attacks.
V. C ONCLUSION
IV. D ISCUSSION AND FUTURE WORK
QUIC is a new transport layer protocol appeared
Although some research work has been done on after 2012, which is built on top of UDP with several
QUIC security, there are still room for advancement in improvements over TCP to address its performance
the current body of scientific research regarding QUIC issues. It is designed to achieves lower latency and
security. In this section, we discuss our vision on future higher efficiency than TCP. In addition, QUIC offers
work that can be done on QUIC security. improved privacy and higher performance in demanding
1) A Comprehensive Study on How Resistant QUIC is network environments. In the past a few years, there
against IP Spoofing and Flooding Attacks: No research have been much research done to address the security
has yet focused on the QUIC’s resistance to IP Spoof- issues of QUIC protocol. However, there is a lack of
ing and Flooding Attacks. Although address validation comprehensive survey that focuses on QUIC security.
protection is implemented by QUIC, it should be further In this paper, we aim to fulfil the gap and present a
investigated to see if this protection is functional against comprehensive survey on QUIC Security. We expect this
all QUIC implementations or not. In addition, we could effort to serve as a foundation and source of references
do comparison among available protection mechanisms for more research in the related field.
of QUIC on a User Datagram Protocol (UDP) based
Amplification Attack. In addition, We could propose R EFERENCES
feasible countermeasures that can be adopted by QUIC
[1] A. Langley, A. Riddoch, A. Wilk, A. Vicente, C. Krasic,
to improve its robustness. D. Zhang, F. Yang, F. Kouranov, I. Swett, J. Iyengar,
2) Balancing Security with Performance: The J. Bailey, J. Dorfman, J. Roskind, J. Kulik, P. Westin,
forward-secure 0-RTT handshake [29] has a high R. Tenneti, R. Shade, R. Hamilton, V. Vasiliev, W.-T. Chang,
and Z. Shi, “The QUIC Transport Protocol: Design and
performance cost, while 0-RTT handshake used by Internet-Scale Deployment,” in Proceedings of the Conference
QUIC cannot ensure forward security. On the contrary, of the ACM Special Interest Group on Data Communication,
in order to obtain stronger security than the current ser. SIGCOMM ’17. New York, NY, USA: Association for
Computing Machinery, Aug. 2017, pp. 183–196. [Online].
security standards, QUIC uses TLS1.3. As a result, Available: https://doi.org/10.1145/3098822.3098842
the processing demands of QUIC on the CPU have [2] P. N. N. G, N. Dey, N. N, M. Hariprasad, S. S, M. Moharir,
significantly increased due to the Encryption and and M. Akram, “A Detail Survey on QUIC and its Impact
on Network Data Transmission,” in 2022 6th International
Decryption burden imposed on by QUIC. Thus, it is Conference on Trends in Electronics and Informatics (ICOEI).
important to investigate and explore how to balance Tirunelveli, India: IEEE, Apr. 2022, pp. 378–385. [Online].
security and computation overhead. Available: https://ieeexplore.ieee.org/document/9777199/
[3] P. Kumar, “QUIC (Quick UDP Internet Connections) – A Quick
3) The Competition between QUIC and TCP as well Study,” Oct. 2020, arXiv:2010.03059 [cs]. [Online]. Available:
as the Prediction of the Future of QUIC: The trend http://arxiv.org/abs/2010.03059

Authorized licensed use limited to: SICHUAN UNIVERSITY. Downloaded on January 26,2024 at 07:08:56 UTC from IEEE Xplore. Restrictions apply.
TABLE I: Categorization of Attacks on QUIC

Major Types of Attacks Subtypes of Attacks and Research Works


Online Connection ID Tampering [11], Source-Address Token Tampering [11]
Offline Server Configuration Repeated [11] or State Reset Oracle [13], Crypto Stream Offset [11]
Handshake Packet Manipulation [5], Downgrade [5], [39], Crypto Stream Offset [5], Replay [5], [40],
QUIC RST [21], DoS [5], [21], [41], [17], Version forgery [21], [42], Packet Length
Manipulation [42], Missing parameters [42], Frame Mangling [42], State Overflow [17],
Reflective Amplification [17], QUIC-downgrade [43], QUIC-out-of-joint [43]
Cryptographic Decryption [31], Drown [32], Client Impersonation [44], Selfie [45], Nonce Reuse/Misuse
[46]
Fuzzing Information Leak [47], Implementation Vulnerabilities [48], Impersonation [49], Enumeration
[50], QUIC-fuzz [43], QUIC-flooding [43] QUIC-loris [43]
Transport Layer UDP Hole Punching [51], QUIC-encapsulation [43]
Privacy Traffic Analysis [52], [19], Website Fingerprinting [19], [20], [18], Session Linking [53]
Others Spoofed ACK [13], Optimistic ACK [13], Slowloris [13], Steam Fragmentation and Reassem-
bly [13], Stream Commitment [13], Explicit Congestion Notification [13], Cache Poisoning
Attacks [35], [36]

[4] R. Marx, T. De Decker, P. Quax, and W. Lamotte, “Resource Mul- Internet Measurement Conference, Nov. 2021, pp. 283–291,
tiplexing and Prioritization in HTTP/2 over TCP Versus HTTP/3 arXiv:2109.01106 [cs]. [Online]. Available: http://arxiv.org/abs/
over QUIC,” in Web Information Systems and Technologies, ser. 2109.01106
Lecture Notes in Business Information Processing, A. Bozzon, [18] L. Barman, S. Siby, C. Wood, M. Fayed, N. Sullivan, and
F. J. Domı́nguez Mayo, and J. Filipe, Eds. Cham: Springer C. Troncoso, “This is not the padding you are looking for!
International Publishing, 2020, pp. 96–126. On the ineffectiveness of QUIC PADDING against website
[5] R. Lychev, S. Jero, A. Boldyreva, and C. Nita-Rotaru, “How fingerprinting,” arXiv, Tech. Rep. arXiv:2203.07806, Mar.
Secure and Quick is QUIC? Provable Security and Performance 2022, arXiv:2203.07806 [cs] type: article. [Online]. Available:
Analyses,” in 2015 IEEE Symposium on Security and Privacy, http://arxiv.org/abs/2203.07806
May 2015, pp. 214–231, iSSN: 2375-1207. [19] P. Zhan, L. Wang, and Y. Tang, “Website fingerprinting on
[6] “Experimenting with QUIC.” [Online]. Available: https://blog. early QUIC traffic,” Computer Networks, vol. 200, p. 108538,
chromium.org/2013/06/experimenting-with-quic.html Dec. 2021. [Online]. Available: https://www.sciencedirect.com/
[7] “QUIC,” Jul. 2022, page Version ID: 1097684976. science/article/pii/S1389128621004618
[Online]. Available: https://en.wikipedia.org/w/index.php?title= [20] Y. Govil, L. Wang, and J. Rexford, “{MIMIQ}: Masking
QUIC&oldid=1097684976 {IPs} with Migration in {QUIC},” 2020. [Online]. Available:
[8] J. Iyengar and M. Thomson, “QUIC: A UDP-Based Multiplexed https://www.usenix.org/conference/foci20/presentation/govil
and Secure Transport,” Internet Engineering Task Force, Request [21] X. Cao, S. Zhao, and Y. Zhang, “0-RTT Attack and Defense
for Comments RFC 9000, May 2021. [Online]. Available: of QUIC Protocol,” in 2019 IEEE Globecom Workshops (GC
https://datatracker.ietf.org/doc/rfc9000/ Wkshps), Dec. 2019, pp. 1–6.
[9] M. Thomson and S. Turner, “Using TLS to Secure QUIC,” [22] “QUIC: Design Document and Specification Rationale.”
Internet Engineering Task Force, Request for Comments RFC [Online]. Available: https://docs.google.com/document/d/
9001, May 2021. [Online]. Available: https://datatracker.ietf.org/ 1RNHkx VvKWyWg6Lr8SZ-saqsQx7rFV-ev2jRFUoVD34/
doc/rfc9001/ edit?usp=embed facebook
[10] M. Bishop, “HTTP/3,” Internet Engineering Task Force, Request [23] M. Scharf and S. Kiesel, “NXG03-5: Head-of-line Blocking in
for Comments RFC 9114, Jun. 2022. [Online]. Available: TCP and SCTP: Analysis and Measurements,” in IEEE Globecom
https://datatracker.ietf.org/doc/draft-ietf-quic-http/34/ 2006, Nov. 2006, pp. 1–5, iSSN: 1930-529X.
[11] L. Xuebing, C. Yang, Z. Mengying, and W. Xin, [24] F. Qian, V. Gopalakrishnan, E. Halepovic, S. Sen, and
“Internet Data Transfer Protocol QUIC: A Survey,” O. Spatscheck, “TM3: 11th ACM Conference on Emerging
Journal of Computer Research and Development, vol. 57, Networking Experiments and Technologies, CoNEXT 2015,”
no. 9, p. 1864, Sep. 2020. [Online]. Available: Proceedings of the 11th ACM Conference on Emerging
https://crad.ict.ac.cn/EN/10.7544/issn1000-1239.2020.20190693 Networking Experiments and Technologies, CoNEXT 2015, Dec.
[12] S. Chen, S. Jero, M. Jagielski, A. Boldyreva, and C. Nita- 2015. [Online]. Available: http://www.scopus.com/inward/record.
Rotaru, “Secure Communication Channel Establishment: TLS url?scp=84994161453&partnerID=8YFLogxK
1.3 (over TCP Fast Open) versus QUIC,” Journal of Cryptology, [25] “SMig: Stream Migration Extension For HTTP/2,” Jan.
vol. 34, no. 3, p. 26, May 2021. [Online]. Available: 2017. [Online]. Available: https://cse.buffalo.edu/faculty/xmi/
https://doi.org/10.1007/s00145-021-09389-w publication/conext16 http2/
[13] J. Iyengar and M. Thomson, “QUIC: A UDP- [26] E. Rescorla, “The Transport Layer Security (TLS) Protocol
Based Multiplexed and Secure Transport,” Jul. Version 1.3,” Internet Engineering Task Force, Request for
2022. [Online]. Available: https://greenbytes.de/tech/webdav/ Comments RFC 8446, Aug. 2018. [Online]. Available: https:
draft-ietf-quic-transport-16.html#handshake-denial-of-service //datatracker.ietf.org/doc/rfc8446/
[14] “Usage Statistics of QUIC for Websites, July 2022.” [Online]. [27] S. R. Das, “Evaluation of QUIC on web page performance,”
Available: https://w3techs.com/technologies/details/ce-quic Thesis, Massachusetts Institute of Technology, 2014. [Online].
[15] “Usage Statistics of HTTP/3 for Websites, July 2022.” [Online]. Available: https://dspace.mit.edu/handle/1721.1/91444
Available: https://w3techs.com/technologies/details/ce-http3 [28] M. Bellare and B. Yee, “Forward-Security in Private-Key Cryp-
[16] “How Facebook is bringing QUIC to billions,” Oct. tography,” in Topics in Cryptology — CT-RSA 2003, ser. Lecture
2020. [Online]. Available: https://engineering.fb.com/2020/10/21/ Notes in Computer Science, M. Joye, Ed. Berlin, Heidelberg:
networking-traffic/how-facebook-is-bringing-quic-to-billions/ Springer, 2003, pp. 1–18.
[17] M. Nawrocki, R. Hiesgen, T. C. Schmidt, and M. Wählisch, [29] F. Günther, B. Hale, T. Jager, and S. Lauer, “0-RTT Key Ex-
“QUICsand: Quantifying QUIC Reconnaissance Scans and change with Full Forward Secrecy,” in Advances in Cryptology –
DoS Flooding Events,” in Proceedings of the 21st ACM EUROCRYPT 2017, ser. Lecture Notes in Computer Science, J.-

Authorized licensed use limited to: SICHUAN UNIVERSITY. Downloaded on January 26,2024 at 07:08:56 UTC from IEEE Xplore. Restrictions apply.
S. Coron and J. B. Nielsen, Eds. Cham: Springer International In Review, preprint, Jul. 2022. [Online]. Available:
Publishing, 2017, pp. 519–548. https://www.researchsquare.com/article/rs-1676730/v1
[30] M. Fischlin and F. Günther, “Multi-Stage Key Exchange and the [44] C. Cremers, M. Horvat, S. Scott, and T. van der Merwe, “Auto-
Case of Google’s QUIC Protocol,” in Proceedings of the 2014 mated Analysis and Verification of TLS 1.3: 0-RTT, Resumption
ACM SIGSAC Conference on Computer and Communications and Delayed Authentication,” in 2016 IEEE Symposium on
Security, ser. CCS ’14. New York, NY, USA: Association for Security and Privacy (SP), May 2016, pp. 470–485, iSSN: 2375-
Computing Machinery, Nov. 2014, pp. 1193–1204. [Online]. 1207.
Available: https://doi.org/10.1145/2660267.2660308 [45] N. Drucker and S. Gueron, “Selfie: reflections on TLS 1.3 with
[31] T. Jager, J. Schwenk, and J. Somorovsky, “On the Security PSK,” Journal of Cryptology, vol. 34, no. 3, p. 27, May 2021.
of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 [Online]. Available: https://doi.org/10.1007/s00145-021-09387-y
v1.5 Encryption,” Proceedings of the 22nd ACM SIGSAC [46] B. Arunkumar and G. Kousalya, “Nonce reuse/misuse resistance
Conference on Computer and Communications Security, Denver, authentication encryption schemes for modern TLS cipher
CO, USA, October 12-16, 2015, 2015. [Online]. Available: suites and QUIC based web servers,” Journal of Intelligent
https://ris.uni-paderborn.de/record/3121 & Fuzzy Systems, vol. 38, no. 5, pp. 6483–6493, Jan.
[32] N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, 2020. [Online]. Available: https://content.iospress.com/articles/
J. Steube, L. Valenta, D. Adrian, J. A. Halderman, V. Dukhovni, journal-of-intelligent-and-fuzzy-systems/ifs179729
E. Käsper, S. Cohney, S. Engels, C. Paar, and Y. Shavitt, [47] K. L. McMillan and L. D. Zuck, “Formal specification
“{DROWN}: Breaking {TLS} Using {SSLv2},” 2016, pp. 689– and testing of QUIC,” in Proceedings of the ACM Special
706. [Online]. Available: https://www.usenix.org/conference/ Interest Group on Data Communication, ser. SIGCOMM
usenixsecurity16/technical-sessions/presentation/aviram ’19. New York, NY, USA: Association for Computing
[33] N. C. Weaver, “TCP Reset Injection,” in Encyclopedia of Machinery, Aug. 2019, pp. 227–240. [Online]. Available:
Cryptography and Security, H. C. A. van Tilborg and S. Jajodia, https://doi.org/10.1145/3341302.3342087
Eds. Boston, MA: Springer US, 2011, pp. 1282–1283. [Online]. [48] G. S. Reen and C. Rossow, “DPIFuzz: A Differential Fuzzing
Available: https://doi.org/10.1007/978-1-4419-5906-5 119 Framework to Detect DPI Elusion Strategies for QUIC,”
[34] X. Wang, “Memory and State Exhaustion Denial of Service,” in Annual Computer Security Applications Conference, ser.
in Encyclopedia of Cryptography and Security, H. C. A. van ACSAC ’20. New York, NY, USA: Association for Computing
Tilborg and S. Jajodia, Eds. Boston, MA: Springer US, Machinery, Dec. 2020, pp. 332–344. [Online]. Available:
2011, pp. 773–774. [Online]. Available: https://doi.org/10.1007/ https://doi.org/10.1145/3427228.3427662
978-1-4419-5906-5 270 [49] J. Zhang, X. Gao, L. Yang, T. Feng, D. Li, and Q. Wang, “A
[35] “What is cache poisoning and how does it work?” [Online]. Systematic Approach to Formal Analysis of QUIC Handshake
Available: https://www.techtarget.com/searchsecurity/definition/ Protocol Using Symbolic Model Checking,” Security and
cache-poisoning Communication Networks, vol. 2021, p. e1630223, Aug. 2021.
[Online]. Available: https://www.hindawi.com/journals/scn/2021/
[36] K. Man, Z. Qian, Z. Wang, X. Zheng, Y. Huang, and H. Duan,
1630223/
“DNS Cache Poisoning Attack Reloaded: Revolutions with Side
[50] K. Thimmaraju and B. Scheuermann, “Count Me If You Can:
Channels,” in Proceedings of the 2020 ACM SIGSAC Conference
Enumerating QUIC Servers Behind Load Balancers,” Electronic
on Computer and Communications Security. Virtual Event
Communications of the EASST, vol. 80, no. 0, Sep. 2021.
USA: ACM, Oct. 2020, pp. 1337–1350. [Online]. Available:
[Online]. Available: https://journal.ub.tu-berlin.de/eceasst/article/
https://dl.acm.org/doi/10.1145/3372297.3417280
view/1172
[37] J. Iyengar and M. Thomson, “QUIC: A UDP-Based Multiplexed
[51] K. Y. Gbur and F. Tschorsch, “A QUIC(K) Way Through
and Secure Transport,” Internet Engineering Task Force,
Your Firewall?” arXiv, Tech. Rep. arXiv:2107.05939, Jul.
Internet Draft draft-ietf-quic-transport-19. [Online]. Available:
2021, arXiv:2107.05939 [cs] type: article. [Online]. Available:
https://datatracker.ietf.org/doc/draft-ietf-quic-transport/19/
http://arxiv.org/abs/2107.05939
[38] W. M. Shbair, T. Cholez, J. Francois, and I. Chrisment, [52] V. Tong, H. A. Tran, S. Souihi, and A. Mellouk, “A Novel QUIC
“A Survey of HTTPS Traffic and Services Identification Traffic Classifier Based on Convolutional Neural Networks,” in
Approaches,” Aug. 2020, arXiv:2008.08339 [cs]. [Online]. 2018 IEEE Global Communications Conference (GLOBECOM).
Available: http://arxiv.org/abs/2008.08339 Abu Dhabi, United Arab Emirates: IEEE Press, Dec. 2018,
[39] S. Lee, Y. Shin, and J. Hur, “Return of version downgrade pp. 1–6. [Online]. Available: https://doi.org/10.1109/GLOCOM.
attack in the era of TLS 1.3,” in Proceedings of the 16th 2018.8647128
International Conference on emerging Networking EXperiments [53] G. Arfaoui, X. Bultel, P.-A. Fouque, A. Nedelcu, and C. Onete,
and Technologies. New York, NY, USA: Association for “The privacy of the TLS 1.3 protocol,” Proceedings on Privacy
Computing Machinery, Nov. 2020, pp. 157–168. [Online]. Enhancing Technologies, vol. 2019, pp. 190 – 210, 2019.
Available: https://doi.org/10.1145/3386367.3431310 [Online]. Available: https://hal.archives-ouvertes.fr/hal-02482253
[40] M. Fischlin and F. Günther, “Replay Attacks on Zero Round-Trip
Time: The Case of the TLS 1.3 Handshake Candidates,” in 2017
IEEE European Symposium on Security and Privacy (EuroS&P),
Apr. 2017, pp. 60–75.
[41] A. Saverimoutou, B. Mathieu, and S. Vaton, “Which secure
transport protocol for a reliable HTTP/2-based web service:
TLS or QUIC?” in 2017 IEEE Symposium on Computers and
Communications (ISCC), Jul. 2017, pp. 879–884.
[42] E. Gagliardi and O. Levillain, “Analysis of QUIC session
establishment and its implementations,” in 13th IFIP
International Conference on Information Security Theory
and Practice (WISTP), ser. Information Security Theory
and Practice, M. Laurent and T. Giannetsos, Eds.,
vol. LNCS-12024. Paris, France: Springer International
Publishing, Dec. 2019, pp. 169–184. [Online]. Available:
https://hal.archives-ouvertes.fr/hal-02468596
[43] E. Chatzoglou, V. Kouliaridis, G. Karopoulos, and
G. Kambourakis, “Revisiting QUIC attacks: A comprehensive
review on QUIC security and a hands-on study,”

Authorized licensed use limited to: SICHUAN UNIVERSITY. Downloaded on January 26,2024 at 07:08:56 UTC from IEEE Xplore. Restrictions apply.

You might also like