Security and service vulnerabilities with HTTP/3

Abstract

The adoption of Hypertext Transfer Protocol v3 (HTTP/3 or H3) is on the rise. In this context, we analyze the security vulnerabilities of H3, specifically with the QUIC protocol, and the associated challenges they pose to the commonly used network middleboxes. First, we demonstrate how the connection migration feature of QUIC can be used by malicious clients to launch denial of service (DoS) attacks through resource exhaustion of the connection state tables in the simple network address and port translation (NAPT) devices. Further, we show that the connection migration feature disrupts the services of various critical network middleboxes like Layer3/4 load-balancers, rate-limiters, and intrusion detection/prevention systems that rely on the connection state table for their faithful operation. We also present a feasible solution to mitigate the DoS attacks in connection tracking middleboxes. Second, we show how the spin bit in QUIC short header packets can act as a highly reliable covert channel to exchange information stealthily across two end-points. Nonetheless, this spin-bit can also be used to shield from spoofing attacks. Although H3, by virtue of QUIC, aims to be a secure and privacy-preserving protocol, the existence of such vulnerabilities calls for the community to explore and adopt additional measures to make H3 a truly secure protocol.