QUIC-Tr4ck: Mitigando Ataques QUIC-Flood usando Planos de Dados Programáveis
Abstract
The QUIC protocol aims to improve the performance of Web applications, allowing the establishment of multiplexed connections over the UDP protocol. However, with the popularization of QUIC-based services, these have become the target of malicious attacks, mainly Denial of Service (DoS) attacks. Although there are already solutions to mitigate attacks against QUIC that operate on endpoints, solutions based on programmable data planes (PDP) to detect and mitigate attacks against the QUIC protocol are not largely investigated. In this paper, we present QUIC-Tr4ck, a system for tracking QUIC packets using a hybrid approach that combines programmable data planes (using P4 and sketches) with an SDN controller (consolidating snapshots for a more holistic network state analysis). QUIC-Tr4ck allows switches to intercept QUIC connections and identify malicious clients proactively and preemptively, that is, before they exhaust a server’s resources.
References
Alcoz, A. G., Strohmeier, M., Lenders, V., and Vanbever, L. (2022). Aggregate-based congestion control for pulse-wave ddos defense. In Proceedings of the ACM SIGCOMM 2022 Conference, SIGCOMM ’22, page 693–706, New York, NY, USA. Association for Computing Machinery.
Basyoni, L., Erbad, A., Alsabah, M., Fetais, N., Mohamed, A., and Guizani, M. (2021). Quictor: Enhancing tor for real-time communication using quic transport protocol. IEEE Access, 9:28769–28784.
Bosshart, P., Daly, D., Gibb, G., Izzard, M., McKeown, N., Rexford, J., Schlesinger, C., Talayco, D., Vahdat, A., Varghese, G., and Walker, D. (2014). P4: Programming protocol-independent packet processors. SIGCOMM Comput. Commun. Rev., 44(3):87–95.
Cao, X., Zhao, S., and Zhang, Y. (2019). 0-rtt attack and defense of quic protocol. In 2019 IEEE Globecom Workshops (GC Wkshps), pages 1–6.
Castanheira, L., Parizotto, R., and Schaeffer-Filho, A. E. (2019). Flowstalker: Comprehensive traffic flow monitoring on the data plane using p4. In ICC 2019 2019 IEEE International Conference on Communications (ICC), pages 1–6.
Charikar, M., Chen, K., and Farach-Colton, M. (2002). Finding frequent items in data streams. In International Colloquium on Automata, Languages, and Programming, pages 693–703. Springer.
Chatzoglou, E., Kouliaridis, V., Karopoulos, G., and Kambourakis, G. (2022). Revisiting quic attacks: A comprehensive review on quic security and a hands-on study.
Chen, X., Kim, H., Aman, J. M., Chang, W., Lee, M., and Rexford, J. (2020). Measuring tcp round-trip time in the data plane. In Proceedings of the Workshop on Secure Programmable Network Infrastructure, pages 35–41.
Cloudflare (2022). What is a QUIC flood DDoS attack? | QUIC and UDP floods. Cloudflare Website. Accessed in: December 2022, [link].
Coelho, B. and Schaeffer-Filho, A. (2022). Backorders: using random forests to detect ddos attacks in programmable data planes. In Proceedings of the 5th International Workshop on P4 in Europe, pages 1–7.
da Silva, A. S., Smith, P., Mauthe, A., and Schaeffer-Filho, A. (2015). Resilience support in software-defined networking: A survey. Computer Networks, 92:189–207.
Dalmazo, B. L., Marques, J. A., Costa, L. R., Bonfim, M. S., Carvalho, R. N., da Silva, A. S., Fernandes, S., Bordim, J. L., Alchieri, E., Schaeffer-Filho, A., Paschoal Gaspary, L., and Cordeiro, W. (2021). A systematic review on distributed denial of service attack defense mechanisms in programmable networks. International Journal of Network Management, 31(6):e2163.
Fischlin, M. and Günther, F. (2017). Replay attacks on zero round-trip time: The case of the tls 1.3 handshake candidates. In 2017 IEEE European Symposium on Security and Privacy (EuroSP), pages 60–75.
Gbur, K. and Tschorsch, F. (2021). A quic(k) way through your firewall? Hiba, O., Leibowitz, H., and Herzberg, A. (2020). Quicr: Quic resiliency to bw-dos attacks.
Iyengar, J., E. and M. Thomson, E. (2021). Quic: A udp-based multiplexed and secure transport. RFC 9000. [link].
Jager, T., Schwenk, J., and Somorovsky, J. (2015). On the security of tls 1.3 and quic against weaknesses in pkcs1 v1.5 encryption. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS ’15, page 1185–1196, New York, NY, USA. Association for Computing Machinery.
Joras, M. and Chi, Y. (2020). How Facebook is bringing QUIC to billions. Engineering at Meta. [link].
Langley, A., Riddoch, A., Wilk, A., Vicente, A., Krasic, C., Zhang, D., Yang, F., Kouranov, F., Swett, I., Iyengar, J., Bailey, J., Dorfman, J., Roskind, J., Kulik, J., Westin, P., Tenneti, R., Shade, R., Hamilton, R., Vasiliev, V., Chang, W.-T., and Shi, Z. (2017). The quic transport protocol: Design and internet-scale deployment. In Proceedings of the Conference of the ACM Special Interest Group on Data Communication (SIGCOMM’17), SIGCOMM ’17, page 183–196, New York, NY, USA. Association for Computing Machinery.
Lychev, R., Jero, S., Boldyreva, A., and Nita-Rotaru, C. (2015). How secure and quick is quic? provable security and performance analyses. In 2015 IEEE Symposium on Security and Privacy, pages 214–231.
Mahindra, R. and Guo, E. (2019). Employing QUIC protocol to optimize Uber’s app performance. Uber Blog. [link].
Namkung, H., Liu, Z., Kim, D., Sekar, V., and Steenkiste, P. (2022). {SketchLib}: Enabling efficient sketch-based monitoring on programmable switches. In 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22), pages 743– 759.
Nawrocki, M., Hiesgen, R., Schmidt, T. C., and Wählisch, M. (2021). Quicsand: Quantifying quic reconnaissance scans and dos flooding events. In Proceedings of the 21st ACM Internet Measurement Conference, IMC ’21, page 283–291, New York, NY, USA. Association for Computing Machinery.
Scholz, D., Gallenmüller, S., Stubbe, H., and Carle, G. (2020). Syn flood defense in programmable data planes. In Proceedings of the 3rd P4 Workshop in Europe, EuroP4’20, page 13–20, New York, NY, USA. Association for Computing Machinery.
Shreedhar, T., Panda, R., Podanev, S., and Bajpai, V. (2021). Evaluating quic performance over web, cloud storage and video workloads. IEEE Transactions on Network and Service Management.
Tavares, K. and Ferreto, T. (2019). Ddos on sketch: Spoofed ddos attack defense with programmable data planes using sketches in sdn. In Anais do XXXVII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 805–819, Porto Alegre, RS, Brasil. SBC.
Xavier, B. M., Guimarães, R. S., Comarela, G., and Martinello, M. (2021). Programmable switches for in-networking classification. In IEEE INFOCOM 2021-IEEE Conference on Computer Communications, pages 1–10. IEEE.
Xu, W., Zhang, Z., Feng, Y., Song, H., Chen, Z., Wu, W., Liu, G., Zhang, Y., Liu, S., Tian, Z., et al. (2023). Clickinc: In-network computing as a service in heterogeneous programmable data-center networks. arXiv preprint arXiv:2307.11359.
Zeno, L., Ports, D. R., Nelson, J., Kim, D., Landau-Feibish, S., Keidar, I., Rinberg, A., Rashelbach, A., De-Paula, I., and Silberstein, M. (2022). {SwiSh}: Distributed shared state abstractions for programmable switches. In 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22), pages 171–191.
Basyoni, L., Erbad, A., Alsabah, M., Fetais, N., Mohamed, A., and Guizani, M. (2021). Quictor: Enhancing tor for real-time communication using quic transport protocol. IEEE Access, 9:28769–28784.
Bosshart, P., Daly, D., Gibb, G., Izzard, M., McKeown, N., Rexford, J., Schlesinger, C., Talayco, D., Vahdat, A., Varghese, G., and Walker, D. (2014). P4: Programming protocol-independent packet processors. SIGCOMM Comput. Commun. Rev., 44(3):87–95.
Cao, X., Zhao, S., and Zhang, Y. (2019). 0-rtt attack and defense of quic protocol. In 2019 IEEE Globecom Workshops (GC Wkshps), pages 1–6.
Castanheira, L., Parizotto, R., and Schaeffer-Filho, A. E. (2019). Flowstalker: Comprehensive traffic flow monitoring on the data plane using p4. In ICC 2019 2019 IEEE International Conference on Communications (ICC), pages 1–6.
Charikar, M., Chen, K., and Farach-Colton, M. (2002). Finding frequent items in data streams. In International Colloquium on Automata, Languages, and Programming, pages 693–703. Springer.
Chatzoglou, E., Kouliaridis, V., Karopoulos, G., and Kambourakis, G. (2022). Revisiting quic attacks: A comprehensive review on quic security and a hands-on study.
Chen, X., Kim, H., Aman, J. M., Chang, W., Lee, M., and Rexford, J. (2020). Measuring tcp round-trip time in the data plane. In Proceedings of the Workshop on Secure Programmable Network Infrastructure, pages 35–41.
Cloudflare (2022). What is a QUIC flood DDoS attack? | QUIC and UDP floods. Cloudflare Website. Accessed in: December 2022, [link].
Coelho, B. and Schaeffer-Filho, A. (2022). Backorders: using random forests to detect ddos attacks in programmable data planes. In Proceedings of the 5th International Workshop on P4 in Europe, pages 1–7.
da Silva, A. S., Smith, P., Mauthe, A., and Schaeffer-Filho, A. (2015). Resilience support in software-defined networking: A survey. Computer Networks, 92:189–207.
Dalmazo, B. L., Marques, J. A., Costa, L. R., Bonfim, M. S., Carvalho, R. N., da Silva, A. S., Fernandes, S., Bordim, J. L., Alchieri, E., Schaeffer-Filho, A., Paschoal Gaspary, L., and Cordeiro, W. (2021). A systematic review on distributed denial of service attack defense mechanisms in programmable networks. International Journal of Network Management, 31(6):e2163.
Fischlin, M. and Günther, F. (2017). Replay attacks on zero round-trip time: The case of the tls 1.3 handshake candidates. In 2017 IEEE European Symposium on Security and Privacy (EuroSP), pages 60–75.
Gbur, K. and Tschorsch, F. (2021). A quic(k) way through your firewall? Hiba, O., Leibowitz, H., and Herzberg, A. (2020). Quicr: Quic resiliency to bw-dos attacks.
Iyengar, J., E. and M. Thomson, E. (2021). Quic: A udp-based multiplexed and secure transport. RFC 9000. [link].
Jager, T., Schwenk, J., and Somorovsky, J. (2015). On the security of tls 1.3 and quic against weaknesses in pkcs1 v1.5 encryption. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS ’15, page 1185–1196, New York, NY, USA. Association for Computing Machinery.
Joras, M. and Chi, Y. (2020). How Facebook is bringing QUIC to billions. Engineering at Meta. [link].
Langley, A., Riddoch, A., Wilk, A., Vicente, A., Krasic, C., Zhang, D., Yang, F., Kouranov, F., Swett, I., Iyengar, J., Bailey, J., Dorfman, J., Roskind, J., Kulik, J., Westin, P., Tenneti, R., Shade, R., Hamilton, R., Vasiliev, V., Chang, W.-T., and Shi, Z. (2017). The quic transport protocol: Design and internet-scale deployment. In Proceedings of the Conference of the ACM Special Interest Group on Data Communication (SIGCOMM’17), SIGCOMM ’17, page 183–196, New York, NY, USA. Association for Computing Machinery.
Lychev, R., Jero, S., Boldyreva, A., and Nita-Rotaru, C. (2015). How secure and quick is quic? provable security and performance analyses. In 2015 IEEE Symposium on Security and Privacy, pages 214–231.
Mahindra, R. and Guo, E. (2019). Employing QUIC protocol to optimize Uber’s app performance. Uber Blog. [link].
Namkung, H., Liu, Z., Kim, D., Sekar, V., and Steenkiste, P. (2022). {SketchLib}: Enabling efficient sketch-based monitoring on programmable switches. In 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22), pages 743– 759.
Nawrocki, M., Hiesgen, R., Schmidt, T. C., and Wählisch, M. (2021). Quicsand: Quantifying quic reconnaissance scans and dos flooding events. In Proceedings of the 21st ACM Internet Measurement Conference, IMC ’21, page 283–291, New York, NY, USA. Association for Computing Machinery.
Scholz, D., Gallenmüller, S., Stubbe, H., and Carle, G. (2020). Syn flood defense in programmable data planes. In Proceedings of the 3rd P4 Workshop in Europe, EuroP4’20, page 13–20, New York, NY, USA. Association for Computing Machinery.
Shreedhar, T., Panda, R., Podanev, S., and Bajpai, V. (2021). Evaluating quic performance over web, cloud storage and video workloads. IEEE Transactions on Network and Service Management.
Tavares, K. and Ferreto, T. (2019). Ddos on sketch: Spoofed ddos attack defense with programmable data planes using sketches in sdn. In Anais do XXXVII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 805–819, Porto Alegre, RS, Brasil. SBC.
Xavier, B. M., Guimarães, R. S., Comarela, G., and Martinello, M. (2021). Programmable switches for in-networking classification. In IEEE INFOCOM 2021-IEEE Conference on Computer Communications, pages 1–10. IEEE.
Xu, W., Zhang, Z., Feng, Y., Song, H., Chen, Z., Wu, W., Liu, G., Zhang, Y., Liu, S., Tian, Z., et al. (2023). Clickinc: In-network computing as a service in heterogeneous programmable data-center networks. arXiv preprint arXiv:2307.11359.
Zeno, L., Ports, D. R., Nelson, J., Kim, D., Landau-Feibish, S., Keidar, I., Rinberg, A., Rashelbach, A., De-Paula, I., and Silberstein, M. (2022). {SwiSh}: Distributed shared state abstractions for programmable switches. In 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22), pages 171–191.
Published
2023-09-18
How to Cite
FAVERO, Nicolle P.; PARIZOTTO, Ricardo; SCHAEFFER-FILHO, Alberto E..
QUIC-Tr4ck: Mitigando Ataques QUIC-Flood usando Planos de Dados Programáveis. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 23. , 2023, Juiz de Fora/MG.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2023
.
p. 307-320.
DOI: https://doi.org/10.5753/sbseg.2023.233057.
