Revisiting QUIC attacks: A comprehensive review on QUIC security and a hands-on study

Built on top of UDP, the recently standardized QUIC protocol primarily aims to gradually replace the TCP plus TLS plus HTTP/2 model. For instance, HTTP/3 is designed to exploit QUIC's features, including reduced connection establishment time, multiplexing without head of line blocking, always-encrypted end-to-end security, and others. This work serves two key objectives. Initially, it offers the first to our knowledge full-fledged review on QUIC security as seen through the lens of the relevant literature so far. Second and more importantly, through extensive fuzz testing, we conduct a hand-on security evaluation against the most six popular QUIC-enabled production-grade servers. This assessment identified several effective and practical zero-day vulnerabilities, which, if exploited, can quickly overwhelm the server resources. This finding is a clear indication that the fragmented production-level implementations of this contemporary protocol are not yet mature enough. Overall, the work at hand provides the first wholemeal appraisal of QUIC security from both a literature review and empirical standpoint, and it is therefore foreseen to serve as a reference for future research in this timely area.

CHATZOGLOU Efstratios;  KOULIARIDIS Vasileios;  KAROPOULOS Georgios;  KAMPOURAKIS Georgios; 

2023-05-15

SPRINGER

JRC129548

1615-5262 (online),   

https://link.springer.com/article/10.1007/s10207-022-00630-6,    https://publications.jrc.ec.europa.eu/repository/handle/JRC129548,   

10.1007/s10207-022-00630-6 (online),