Telco Transformation: enable you to deploy and offer DDoS mitigation-as-a-service at a low CapEx and a low OpEx.
Read more
Run Bastions Services on premises for a truly consistent and seamless hybrid experience
Learn more
TAP the lucrative market for DDoS Protection.
Be Our Partner
The Capture The Flag challenge: Get on the top of the scoreboard and win an Pentester Expert Coin !
Enroll now
In 2022, the total number of distributed denial of service (DDoS) attacks worldwide increased by 115.1% over the amount observed in 2021. Learn More
Cybersecurity best practices and DDoS defence strategies
QUIC, technically still in its draft phase, was developed by Google to reduce latency compared to that of TCP. In a QUIC reflection attack, perpetrators spoof the victim's IP address and request information from several servers. When the servers respond, all the information is directed to the victim instead of the perpetrator. Because QUIC is developed in combination with UDP and TLS encryption, the server’s first reply message that contains its TLS certificate becomes much larger than the client's initial message. It is this characteristic of QUIC that allows perpetrators to trick a server into directing large quantities of unwelcome data to an unwitting third party victim.
One suggested protection method is to enforce the initial QUIC packet to fulfill a specific minimum length, unique connection ID and off fragment bit. However, this only has the effect of protecting the QUIC server. Another highly recommended method is to deploy source address validation using stateless retries through “Retry Packets”, which effectively averts large response packets in the initial stage. In order to benefit the most from this method, it is critical that the Retry Packets are correctly defined to prevent the QUIC server sending multiple Retry Packets in response to a client handshake packet. Although the utilization of stateless retries will increase the initial handshake duration slightly, this method could significantly help safeguard against reflection attacks.
Since QUIC is still an experimental protocol, it is imperative to implement security and protection measures to defend against DDoS attacks during the draft stage when developing web applications using QUIC. Through the attentive analysis of attack patterns and years of DDoS fighting experience, Nexusguard is adept at identifying and mitigating various attacks including memcached reflection attacks and DNSSEC amplification attacks, quickly and efficiently. Moreover, Nexusguard’s DDoS threat research on attack data from botnet scanning, honeypots, CSPs and traffic moving between attackers and target QUIC servers ensures that illegitimate source traffic is dropped instantly, and that threat reputation lists are constantly kept up-to-date.
Thank You!
We will get back to you shortly.
As the cyber threat landscape spirals as a result of new reflected amplification exploits and growing IoT botnets, CSPs must bolster their security and protection measures in order to safeguard their network infrastructure and deliver clean traffic to customers.
© 2023 Nexusguard - All Rights Reserved. Read Our Privacy Policy.