What Is a QUIC Flood DDoS Attack?

A QUIC flood is a distributed denial-of-service (DDoS) attack that seeks to overwhelm a targeted server with data sent over the QUIC protocol. As it uses resources processing large volumes of QUIC data, the targeted server experiences slower performance and may eventually crash. QUIC flood attacks are difficult to mitigate because they use UDP packets, which offer very few details that the targeted server can use to block the attack. QUIC floods also encrypt packet data, making it difficult to determine whether a packet is legitimate or not.

In a DDoS attack, a threat actor attempts to disrupt or crash a server, website, or network by overwhelming it with massive amounts of unwanted or illegitimate traffic. To accomplish this, attackers use a botnet — a collection of thousands or millions of devices that have been infected with malware — which enables the attacker to control them. When attackers direct these compromised machines to send huge volumes of traffic to a targeted device, the device will eventually exhaust its resources or use all its connections to process or respond to malicious traffic. As a result, the device may crash or experience slower performance, making it unavailable to respond to legitimate traffic and users.

QUIC is a new encrypted, connection-oriented transport protocol developed by Google that’s designed to enable faster, more secure internet connections. It is a potential replacement for the TCP transport protocol and TLS encryption protocols. Built on the User Datagram Protocol (UDP), QUIC is intended as a low-latency transportation protocol for apps and services that need fast online connections. To enable faster online connections, QUIC replaces the time-consuming three-way TLS handshake (used to establish a TLS connection) with a single handshake. QUIC uses multiplexing to send several data streams at once, reducing the latency caused by potential data loss and traditional HTTP request/response logic. QUIC automatically encrypts all data by building TLS encryption into the standard communication process.

The QUIC protocol is especially vulnerable to DDoS attacks that use reflection. This technique involves spoofing the targeted server’s IP address when requesting information from multiple servers. When the servers respond, all the data travels to the targeted system rather than the attackers’ devices. In a QUIC reflection attack, attackers use the “hello” message that initiates a QUIC connection. Since the QUIC protocol combines the UDP transport protocol with TLS encryption, the targeted server must include its TLS certificate in its reply, resulting in an initial first reply that is much larger than the attacker’s first message. When this is multiplied over large volumes of replies, the targeted server can be overwhelmed by large amounts of unwanted data.

QUIC flood attacks can significantly disrupt business operations, particularly those that rely heavily on online services and applications. When a server is overwhelmed by a flood of QUIC data, it can lead to slower performance and even crashes. This can result in downtime for websites, applications, and online services, affecting both productivity and customer experience.

For instance, ecommerce platforms may experience interruptions in their transaction processes, leading to lost sales and dissatisfied customers. Similarly, online service providers, such as streaming platforms or cloud-based software services, may face service disruptions that affect their user base and reputation.

Industries that heavily rely on the internet for their operations are most at risk from QUIC flood attacks. These include the ecommerce, finance, and technology sectors. Ecommerce businesses are particularly vulnerable, as their operations are entirely online. A successful QUIC flood attack could lead to significant financial losses due to interrupted transactions and lost sales.

The finance sector, including online banking and fintech companies, is another industry at risk. These businesses handle sensitive customer data and rely on their services being available 24/7. Any disruption could not only lead to financial losses but also damage customer trust.

QUIC flood attacks can be seen as a form of amplification attack, where a small input is used to generate a large, disruptive output. They exploit the QUIC protocol’s use of UDP, similar to DNS and ICMP protocols, which are also susceptible to amplification attacks.

Authentication plays a crucial role in mitigating these attacks. By verifying the source of traffic, businesses can filter out malicious packets. However, the encryption used in QUIC flood attacks makes this challenging.

DoS attacks, including QUIC flood attacks, aim to overwhelm a system with traffic, rendering it unavailable. Firewalls can help mitigate these attacks by monitoring incoming traffic and blocking suspicious activity. However, the effectiveness of traditional firewalls is limited due to the encrypted nature of QUIC traffic. This highlights the need for advanced security measures, such as DDoS mitigation services, that can handle sophisticated attacks like QUIC floods.

Security teams may prevent or mitigate QUIC flood attacks by following several best practices.

• Rate limiting. Rate limiting mechanisms can restrict the number of QUIC packets allowed from a single source IP address or specific subnet.
• Minimum initial client message size. Setting a minimum size for the initial hello message will require attackers to use significant amounts of bandwidth to send fake hello messages, potentially discouraging attacks.
• DDoS mitigation services. Security teams can contract with a DDoS mitigation service that offers various techniques for detection mitigation while also providing access to networks that are large enough to absorb the biggest DDoS attacks.

Akamai secures and delivers digital experiences for the world’s largest companies. By keeping decisions, apps, and experiences closer to users — and attacks and threats farther away — we enable our customers and their networks to be fast, smart, and secure.

Our end-to-end DDoS and DoS protection solutions provide a holistic approach that serves as the first line of defense. With dedicated edge, distributed DNS, and network cloud mitigation strategies, our anti-DDoS technologies prevent collateral damage and single points of failure to provide our customers with increased resiliency, dedicated scrubbing capacity, and higher quality of mitigation.

App & API Protector provides a holistic set of powerful protections with customer-focused automation. While this solution offers some of the most advanced application security automation available today, it remains simple to use. A new adaptive security engine and industry-leading core technologies enable DDoS protection, API security, bot mitigation, and a web application firewall in an easy-to-use solution. 

Prolexic stops DDoS attacks with the fastest and most effective defense at scale. Offering a zero-second SLA for DDoS defense, Prolexic proactively reduces attack services and customizes mitigation controls to network traffic to block attacks instantly. Having a fully managed SOCC complements your existing cybersecurity programs and will help augment your time to resolution with industry-proven experiences.

Edge DNS prevents DNS outages with the largest edge platform, enabling organizations to count on guaranteed, nonstop DNS availability. A cloud-based solution, Edge DNS ensures 24/7 DNS availability while improving responsiveness and defending against the largest DDoS attacks.

• What Is DoS Protection?
• What Is an ICMP Flood Attack?
• What Is a Memcached DDoS Attack?
• What Are SYN Flood DDoS Attacks?
• What Is a Slowloris DDoS Attack?
• What Is a UDP Flood DDoS Attack?
• What Is an Application-Layer DDoS Attack?
• What Is a DNS Amplification Attack?
• What Is a SSDP DDoS Attack?
• What Is a CLDAP Reflection DDoS attack?