QUICkly Running Out of Money
Evaluating QUIC Resilience to Traffic Inflating Attacks
G. Menon (University of Padua)
E. Bassetti (TU Delft - Cyber Security)
M. Conti (University of Padua)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
The adoption of the QUIC protocol has significantly improved the performance and security of modern internet applications, mainly due to the central role that encryption plays in the protocol. However, this emerging protocol introduces new vulnerabilities that can be exploited for malicious purposes. This paper investigates the resilience of QUIC to selective traffic manipulation attacks aimed at inflating network traffic, which can lead to increased operational costs for service providers and degraded user experiences.We present three distinct attacks designed to manipulate QUIC traffic by selectively dropping or manipulating packets. One attack can be executed by any middlebox in the network path between the client and the server, while the others require the attacker to have some previous control of QUIC components. Through experimental analysis, we evaluate the impact of these attacks on inflating the packet and data accounting. Our results show that attackers can effectively increase data traffic up to 50% of the original transmission size without altering the content of the QUIC communication. These findings highlight the potential for significant traffic inflation and offer insights into countermeasures that could mitigate the risks posed by these vulnerabilities.
Files
File under embargo until 02-08-2026