Exploiting QUIC’s Connection ID Management

Tue, 19 Mar 2024 00:00:00 +0000

QUIC’s connection ID issuance mechanism is vulnerable to a resource exhaustion attack similar to the recently reported attack against QUIC’s path validation mechanism.

I discovered this vulnerability in December 2023 and disclosed it to the IETF QUIC working group. Among 17 QUIC stacks surveyed, 11 were found vulnerable, including my own (quic-go), Cloudflare quiche, Neqo (Mozilla), lsquic (LiteSpeed) and MsQuic (Microsoft). Due to the large number of affected implementations, and the lengthy release cycles of some of them, the disclosure of this vulnerability only happened on March 12th. Since then, most affected implementations have released fixes.

Exploiting QUIC's Path Validation

Mon, 18 Dec 2023 00:00:00 +0000

QUIC supports connection migration, allowing the client to migrate an established QUIC connection from one path to the other. QUIC’s path validation mechanism can be used to attack the peer and make it consume an unbounded amount of memory. While there have been a number of vulnerabilities in various QUIC implementations, this vulnerability is the first attack against the QUIC protocol itself, i.e. any RFC 9000-compliant implementation is necessarily vulnerable to this attack.

Vulnerability on

Exploiting QUIC’s Connection ID Management

Exploiting QUIC's Path Validation