A Study of Deployed Defenses Against Reflected Amplification Attacks in QUIC

We presented our paper “A Study of Deployed Defenses Against Reflected Amplification Attacks in QUIC” at the 2025 IEEE Network Traffic Measurement and Analysis Conference (TMA 2025). You can find the full paper here.

Abstract

While the QUIC specification now includes mechanisms to prevent DoS attacks, they might not always be enforced by servers. With the increasing deployment of QUIC servers, it is now becoming more important to avoid vulnerabilities that could be exploited on a large scale. This paper presents an extensive study of the current state of QUIC servers and how they implement the mechanisms to prevent DoS attacks. The paper focuses on two different amplification DoS attacks that can be performed using QUIC HTTP/3 servers, enabled by the handshake and the connection migration mechanism. We investigate how QUIC servers respond to these attacks and if they are compliant with the general guidelines regarding the amplification protection. Our results show that while a large proportion of QUIC servers are respectful of the specification, around 20 % of the IPv4 servers tested are still breaking the amplification limit for the handshake attack while most of the IPv6 servers are compliant. Most of the servers who support connection migration use the path validation mechanism, preventing the attack on connection migration. Overall, the amplification factor of the attacks remains quite low with a median slightly lower than the limit of 3, set in the standard, for the handshake attack and under 1 for the migration attack.