Yes, small websites are also at risk, as cybercriminals often target a wide range of online assets.
Understanding DDoS flood attacks utilizing the QUIC protocol
A QUIC flood is a distributed denial-of-service (DDoS) attack that seeks to overwhelm a targeted server with data sent over the QUIC protocol. As it uses resources processing large volumes of QUIC data, the targeted server experiences slower performance and may eventually crash. QUIC flood attacks are difficult to mitigate because they use UDP packets, which offer very few details that the targeted server can use to block the attack. QUIC floods also encrypt packet data, making it difficult to determine whether a packet is legitimate or not.
What is a DDoS attack?
In a DDoS attack, a threat actor attempts to disrupt or crash a server, website, or network by overwhelming it with massive amounts of unwanted or illegitimate traffic. To accomplish this, attackers use a botnet — a collection of thousands or millions of devices that have been infected with malware — which enables the attacker to control them. When attackers direct these compromised machines to send huge volumes of traffic to a targeted device, the device will eventually exhaust its resources or use all its connections to process or respond to malicious traffic. As a result, the device may crash or experience slower performance, making it unavailable to respond to legitimate traffic and users.
What is the QUIC protocol?
QUIC is a new encrypted, connection-oriented transport protocol developed by Google that’s designed to enable faster, more secure internet connections. It is a potential replacement for the TCP transport protocol and TLS encryption protocols. Built on the User Datagram Protocol (UDP), QUIC is intended as a low-latency transportation protocol for apps and services that need fast online connections. To enable faster online connections, QUIC replaces the time-consuming three-way TLS handshake (used to establish a TLS connection) with a single handshake. QUIC uses multiplexing to send several data streams at once, reducing the latency caused by potential data loss and traditional HTTP request/response logic. QUIC automatically encrypts all data by building TLS encryption into the standard communication process.
What are the different types of QUIC floods?
The QUIC protocol is especially vulnerable to DDoS attacks that use reflection. This technique involves spoofing the targeted server’s IP address when requesting information from multiple servers. When the servers respond, all the data travels to the targeted system rather than the attackers’ devices. In a QUIC reflection attack, attackers use the “hello” message that initiates a QUIC connection. Since the QUIC protocol combines the UDP transport protocol with TLS encryption, the targeted server must include its TLS certificate in its reply, resulting in an initial first reply that is much larger than the attacker’s first message. When this is multiplied over large volumes of replies, the targeted server can be overwhelmed by large amounts of unwanted data.
Impact of QUIC flood attacks on business operations
QUIC flood attacks can significantly disrupt business operations, particularly those that rely heavily on online services and applications. When a server is overwhelmed by a flood of QUIC data, it can lead to slower performance and even crashes. This can result in downtime for websites, applications, and online services, affecting both productivity and customer experience.
For instance, ecommerce platforms may experience interruptions in their transaction processes, leading to lost sales and dissatisfied customers. Similarly, online service providers, such as streaming platforms or cloud-based software services, may face service disruptions that affect their user base and reputation.
Industries at risk
Industries that heavily rely on the internet for their operations are most at risk from QUIC flood attacks. These include the ecommerce, finance, and technology sectors. Ecommerce businesses are particularly vulnerable, as their operations are entirely online. A successful QUIC flood attack could lead to significant financial losses due to interrupted transactions and lost sales.
The finance sector, including online banking and fintech companies, is another industry at risk. These businesses handle sensitive customer data and rely on their services being available 24/7. Any disruption could not only lead to financial losses but also damage customer trust.
Are QUIC flood attacks a type of amplification attack?
QUIC flood attacks can be seen as a form of amplification attack, where a small input is used to generate a large, disruptive output. They exploit the QUIC protocol’s use of UDP, similar to DNS and ICMP protocols, which are also susceptible to amplification attacks.
Authentication plays a crucial role in mitigating these attacks. By verifying the source of traffic, businesses can filter out malicious packets. However, the encryption used in QUIC flood attacks makes this challenging.
DoS attacks, including QUIC flood attacks, aim to overwhelm a system with traffic, rendering it unavailable. Firewalls can help mitigate these attacks by monitoring incoming traffic and blocking suspicious activity. However, the effectiveness of traditional firewalls is limited due to the encrypted nature of QUIC traffic. This highlights the need for advanced security measures, such as DDoS mitigation services, that can handle sophisticated attacks like QUIC floods.
How can a QUIC flood attack be blocked?
Security teams may prevent or mitigate QUIC flood attacks by following several best practices.
- Rate limiting. Rate limiting mechanisms can restrict the number of QUIC packets allowed from a single source IP address or specific subnet.
- Minimum initial client message size. Setting a minimum size for the initial hello message will require attackers to use significant amounts of bandwidth to send fake hello messages, potentially discouraging attacks.
- DDoS mitigation services. Security teams can contract with a DDoS mitigation service that offers various techniques for detection mitigation while also providing access to networks that are large enough to absorb the biggest DDoS attacks.
Mitigate QUIC flood attacks with Akamai
Akamai secures and delivers digital experiences for the world’s largest companies. By keeping decisions, apps, and experiences closer to users — and attacks and threats farther away — we enable our customers and their networks to be fast, smart, and secure.
Our end-to-end DDoS and DoS protection solutions provide a holistic approach that serves as the first line of defense. With dedicated edge, distributed DNS, and network cloud mitigation strategies, our anti-DDoS technologies prevent collateral damage and single points of failure to provide our customers with increased resiliency, dedicated scrubbing capacity, and higher quality of mitigation.
App & API Protector provides a holistic set of powerful protections with customer-focused automation. While this solution offers some of the most advanced application security automation available today, it remains simple to use. A new adaptive security engine and industry-leading core technologies enable DDoS protection, API security, bot mitigation, and a web application firewall in an easy-to-use solution.
Prolexic stops DDoS attacks with the fastest and most effective defense at scale. Offering a zero-second SLA for DDoS defense, Prolexic proactively reduces attack services and customizes mitigation controls to network traffic to block attacks instantly. Having a fully managed SOCC complements your existing cybersecurity programs and will help augment your time to resolution with industry-proven experiences.
Edge DNS prevents DNS outages with the largest edge platform, enabling organizations to count on guaranteed, nonstop DNS availability. A cloud-based solution, Edge DNS ensures 24/7 DNS availability while improving responsiveness and defending against the largest DDoS attacks.
Learn more about DDoS attacks
- What Is DoS Protection?
- What Is an ICMP Flood Attack?
- What Is a Memcached DDoS Attack?
- What Are SYN Flood DDoS Attacks?
- What Is a Slowloris DDoS Attack?
- What Is a UDP Flood DDoS Attack?
- What Is an Application-Layer DDoS Attack?
- What Is a DNS Amplification Attack?
- What Is a SSDP DDoS Attack?
- What Is a CLDAP Reflection DDoS attack?
Frequently Asked Questions (FAQ)
A sudden and significant increase in network traffic is a good indicator of a potential QUIC flood attack, so this is important to monitor.
While the primary goal of a QUIC flood attack is to disrupt services, it can indirectly lead to data breaches if attackers gain access during the chaos.
While it’s possible to implement basic defenses, consulting cybersecurity professionals is recommended for robust protection.
QUIC itself is not bad; it’s the misuse by attackers that's the problem. Proper security measures can mitigate the risks.
Why customers choose Akamai
Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.