QUICforge: Client-side Request Forgery in QUIC

Publikation: Beitrag zu KonferenzenPaperBeigetragenBegutachtung

Beitragende

  • Konrad Yuri Gbur - , Technische Universität Berlin (Autor:in)
  • Florian Tschorsch - , Technische Universität Berlin (Autor:in)

Abstract

The QUIC protocol is gaining more and more traction through its recent standardization and the rising interest by various big tech companies, developing new implementations. QUIC promises to make security and privacy a first-class citizen; yet, challenging these claims is of utmost importance. To this end, this paper provides an initial analysis of client-side request forgery attacks that directly emerge from the QUIC protocol design and not from common vulnerabilities. In particular, we investigate three request forgery attack modalities with respect to their capabilities to be used for protocol impersonation and traffic amplification. We analyze the controllable attack space of the respective protocol messages and demonstrate that one of the attack modalities can indeed be utilized to impersonate other UDP-based protocols, e.g., DNS requests. Furthermore, we identify traffic amplification vectors. Although the QUIC protocol specification states anti-amplification limits, our evaluation of 13 QUIC server implementations shows that in some cases these mitigations are missing or insufficiently implemented. Lastly, we propose mitigation approaches for protocol impersonation and discuss ambiguities in the specification.

Details

OriginalspracheEnglisch
Seitenumfang14
PublikationsstatusVeröffentlicht - Feb. 2023
Peer-Review-StatusJa
Extern publiziertJa

Konferenz

Titel30th Annual Network and Distributed System Security (NDSS) Symposium
KurztitelNDSS 2023
Veranstaltungsnummer30
Dauer27 Februar - 3 März 2023
Webseite
OrtCatamaran Resort Hotel & Spa
StadtSan Diego
LandUSA/Vereinigte Staaten

Externe IDs

Scopus 85180621479