Count Me If You Can: Enumerating QUIC Servers Behind Load Balancers

Kashyap Thimmaraju; Björn Scheuermann

doi:10.14279/tuj.eceasst.80.1172

Count Me If You Can: Enumerating QUIC Servers Behind Load Balancers

Kashyap Thimmaraju, Björn Scheuermann

Abstract

QUIC is a new transport protocol over UDP which is recently became an IETF RFC. Our security analysis of the Connection ID mechanism in QUIC reveals that the protocol is underspecified. This allows an attacker to count the number of server instances behind a middlebox, e.g., a load balancer. We found 4/15 (~25%) implementations vulnerable to our enumeration attack. We then concretely describe how an attacker can count the number of instances behind a load balancer that either uses Round Robin or Hashing.

Full Text:

PDF

DOI: http://dx.doi.org/10.14279/tuj.eceasst.80.1172

DOI (PDF): http://dx.doi.org/10.14279/tuj.eceasst.80.1172.1077

Hosted By Universitätsbibliothek TU Berlin.

Username
Password
Remember me

Electronic Communications of the EASST is a peer-reviewed, scientific and open access journal ISSN 1863-2122

Count Me If You Can: Enumerating QUIC Servers Behind Load Balancers

Abstract

Full Text:

Electronic Communications of the EASST
is a peer-reviewed, scientific and open access journal
ISSN 1863-2122