Rescuing QUIC flows from countermeasures against UDP flooding attacks

Abstract

Due to advantages such as quick connection establishment and multiple streaming over a single connection, QUIC was included in the new standard of HTTP 3.0 as an alternative transport layer protocol. Since QUIC operates on UDP, however, QUIC flows can be blocked by existing countermeasures against UDP flooding attacks, even if transmission rates are fairly controlled by congestion control algorithms, such as TCP. In this paper, we confirm that such a problem arises in real-world Internet environment and design effective approaches to avoid it. In the first approach, the gateway router dynamically sets the rate limit for the QUIC flow, based on the expected next CWND size estimated by the receiver using a built-in congestion control algorithm. The second approach leverages the proactive dropping of packets (or ECN marking) to distinguish whether the flow is a self-regulated QUIC flow or an unresponsive UDP attack/selfish flow. Simulation studies using the ns-3 simulator confirm that the proposed approaches can selectively allow QUIC flows regardless of their short-term transmission rates while preserving the effectiveness of existing countermeasures against UDP flooding attacks.

Younghoon Kim 김영훈

Associate Professor

My research interests include distributed systems, high-performance computing/networking and data-center-related technologies.