Defending QUIC from acknowledgement-based DDoS attacks
6 months ago
- #QUIC
- #Cloudflare
- #DDoS
- Cloudflare was notified of two QUIC-related vulnerabilities (CVE-2025-4820 and CVE-2025-4821) on April 10, 2025, via their Bug Bounty Program.
- The vulnerabilities involved improper ACK handling in the quiche library, potentially enabling DDoS attacks.
- Cloudflare patched the issues, with no evidence of exploitation or customer impact.
- QUIC relies on ACKs for network fairness and congestion control, similar to TCP but with added features like encryption and reduced handshake time.
- The vulnerabilities allowed malicious peers to manipulate ACKs, artificially increasing server send rates and potentially causing DDoS.
- Cloudflare implemented a dynamic CWND-aware skip frequency to mitigate Optimistic ACK attacks by making packet skipping unpredictable.
- The fix ensures fairness in network usage by adapting skip frequency based on the connection's send rate.
- Researchers Louis Navarre and Olivier Bonaventure responsibly disclosed the issue, also notifying other affected QUIC implementations.