Cybersecurity best practices and DDoS defence strategies
QUIC, technically still in its draft phase, was developed by Google to reduce latency compared to that of TCP. In a QUIC reflection attack, perpetrators spoof the victim's IP address and request information from several servers. When the servers respond, all the information is directed to the victim instead of the perpetrator. Because QUIC is developed in combination with UDP and TLS encryption, the server’s first reply message that contains its TLS certificate becomes much larger than the client's initial message. It is this characteristic of QUIC that allows perpetrators to trick a server into directing large quantities of unwelcome data to an unwitting third party victim.
One suggested protection method is to enforce the initial QUIC packet to fulfill a specific minimum length, unique connection ID and off fragment bit. However, this only has the effect of protecting the QUIC server. Another highly recommended method is to deploy source address validation using stateless retries through “Retry Packets”, which effectively averts large response packets in the initial stage. In order to benefit the most from this method, it is critical that the Retry Packets are correctly defined to prevent the QUIC server sending multiple Retry Packets in response to a client handshake packet. Although the utilization of stateless retries will increase the initial handshake duration slightly, this method could significantly help safeguard against reflection attacks.
Since QUIC is still an experimental protocol, it is imperative to implement security and protection measures to defend against DDoS attacks during the draft stage when developing web applications using QUIC. Through the attentive analysis of attack patterns and years of DDoS fighting experience, Nexusguard is adept at identifying and mitigating various attacks including memcached reflection attacks and DNSSEC amplification attacks, quickly and efficiently. Moreover, Nexusguard’s DDoS threat research on attack data from botnet scanning, honeypots, CSPs and traffic moving between attackers and target QUIC servers ensures that illegitimate source traffic is dropped instantly, and that threat reputation lists are constantly kept up-to-date.
As the cyber threat landscape spirals as a result of new reflected amplification exploits and growing IoT botnets, CSPs must bolster their security and protection measures in order to safeguard their network infrastructure and deliver clean traffic to customers.