TY - GEN
T1 - Rescuing QUIC Flows From Countermeasures Against UDP Flooding Attacks
AU - Lee, Junseok
AU - Kim, Minhyeong
AU - Song, Wonjun
AU - Kim, Younghoon
AU - Kim, Dohyung
N1 - Publisher Copyright:
© 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
PY - 2024/4/8
Y1 - 2024/4/8
N2 - Due to advantages such as quick connection establishment and multiple streaming over a single connection, QUIC was included in the new standard of HTTP 3.0 as an alternative transport layer protocol. Since QUIC operates on UDP, however, QUIC flows can be blocked by existing countermeasures against UDP flooding attacks, even if transmission rates are fairly controlled by congestion control algorithms, such as TCP. In this paper, we confirm that such a problem arises in real-world Internet environment and design effective approaches to avoid it. In the first approach, the gateway router dynamically sets the rate limit for the QUIC flow, based on the expected next CWND size estimated by the receiver using a built-in congestion control algorithm. The second approach leverages the proactive dropping of packets (or ECN marking) to distinguish whether the flow is a self-regulated QUIC flow or an unresponsive UDP attack/selfish flow. Simulation studies using the ns-3 simulator confirm that the proposed approaches can selectively allow QUIC flows regardless of their short-term transmission rates while preserving the effectiveness of existing countermeasures against UDP flooding attacks.
AB - Due to advantages such as quick connection establishment and multiple streaming over a single connection, QUIC was included in the new standard of HTTP 3.0 as an alternative transport layer protocol. Since QUIC operates on UDP, however, QUIC flows can be blocked by existing countermeasures against UDP flooding attacks, even if transmission rates are fairly controlled by congestion control algorithms, such as TCP. In this paper, we confirm that such a problem arises in real-world Internet environment and design effective approaches to avoid it. In the first approach, the gateway router dynamically sets the rate limit for the QUIC flow, based on the expected next CWND size estimated by the receiver using a built-in congestion control algorithm. The second approach leverages the proactive dropping of packets (or ECN marking) to distinguish whether the flow is a self-regulated QUIC flow or an unresponsive UDP attack/selfish flow. Simulation studies using the ns-3 simulator confirm that the proposed approaches can selectively allow QUIC flows regardless of their short-term transmission rates while preserving the effectiveness of existing countermeasures against UDP flooding attacks.
KW - network security
KW - receiver-side RTT estimation in QUIC
KW - self-regulated QUIC flows
KW - UDP flooding attacks
UR - http://www.scopus.com/inward/record.url?scp=85197683665&partnerID=8YFLogxK
U2 - 10.1145/3605098.3635885
DO - 10.1145/3605098.3635885
M3 - Conference contribution
AN - SCOPUS:85197683665
T3 - Proceedings of the ACM Symposium on Applied Computing
SP - 1072
EP - 1080
BT - 39th Annual ACM Symposium on Applied Computing, SAC 2024
PB - Association for Computing Machinery
T2 - 39th Annual ACM Symposium on Applied Computing, SAC 2024
Y2 - 8 April 2024 through 12 April 2024
ER -