IETF Logo Mail Archive

Re: DoS-ing QUIC servers is too easy

Willy Tarreau <w@1wt.eu> Sat, 20 July 2019 05:09 UTC

Return-Path: <w@1wt.eu>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50A54120142 for <quic@ietfa.amsl.com>; Fri, 19 Jul 2019 22:09:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RpqzWIxvOU-A for <quic@ietfa.amsl.com>; Fri, 19 Jul 2019 22:09:00 -0700 (PDT)
Received: from 1wt.eu (wtarreau.pck.nerim.net [62.212.114.60]) by ietfa.amsl.com (Postfix) with ESMTP id DF79E1208A6 for <quic@ietf.org>; Fri, 19 Jul 2019 22:08:59 -0700 (PDT)
Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id x6K58uwP024303; Sat, 20 Jul 2019 07:08:56 +0200
Date: Sat, 20 Jul 2019 07:08:56 +0200
From: Willy Tarreau <w@1wt.eu>
To: Ian Swett <ianswett=40google.com@dmarc.ietf.org>
Cc: "quic@ietf.org" <quic@ietf.org>, brent.bilger@verizon.com
Subject: Re: DoS-ing QUIC servers is too easy
Message-ID: <20190720050856.GB24279@1wt.eu>
References: <21E3AE84-02C5-4943-A88E-B62329E21002@one.verizon.com> <CAKcm_gMBGdv2p4afhPb8tztBZaBQdwtwTJ2tWQ+xV1xr=q8viQ@mail.gmail.com> <20190719160432.GC23718@1wt.eu> <CAKcm_gN8O+M_gWGzAxyWch10mKk7xC=xj-+B6=-hjNQk711eCA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAKcm_gN8O+M_gWGzAxyWch10mKk7xC=xj-+B6=-hjNQk711eCA@mail.gmail.com>
User-Agent: Mutt/1.6.1 (2016-04-27)
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/PuwH0jrfXqOz7W9PVV98xqbCr0E>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Jul 2019 05:09:06 -0000

Hi Ian,

On Fri, Jul 19, 2019 at 01:47:19PM -0400, Ian Swett wrote:
> There's a proposed draft(draft-duke-quic-load-balancers
> <https://datatracker.ietf.org/doc/draft-duke-quic-load-balancers/>) on QUIC
> load balancers, so I don't think the above is necessarily true.

Yes, as mentioned in my other message I've already seen this one.

> > > Also, QUIC requires much larger Initial packet sizes than a TCP SYN,
> > > increasing the amount of work an attacker has to expend.
> >
> > Sure but not that much. Even with an initial packet as large as 200 bytes
> > you still feed the whole stack at 5 million packets per second on a single
> > 10G port. This is a lot to pass through the whole stack, not counting the
> > potential crypto that is associated with it nor building the response, of
> > course. But we'll see.
> >
> >
> The minimum is 1200 bytes FYI.

My understanding was that it was the minimum supported so that it should
be the maximum used by clients. i.e. a valid initial packet can be much
smaller than this. But I could be mistaken as I've had a hard time keeping
up with the progress made on the protocol.

Thanks,
Willy

v2.23.0 | Report a Bug | By Email