Abstract

QUIC is a modern transport layer internet protocol designed to be more efficient and secure than TCP. It has gained popularity quickly in recent years and has been adopted by a number of prominent tech companies. Its efficiency comes from its handshake design. The server and the client make both the transport layer acknowledgment and the TLS agreement during the same round trip. However this process makes the packets heavy and requires more processing on the server-side than TCP. This characteristic can be used as leverage by an attacker to compromise the computing resources of its victim.
This thesis investigates the resilience of QUIC Protocol against handshake flood attacks and proposes a detection mechanism (QUICShield). I conducted comprehensive experiments to evaluate the resource consumptions of both the attacker and the target during incomplete handshake attacks, including CPU, memory, and bandwidth. We compared the results against TCP Syn Cookies under Syn flood attacks. The DDoS amplification factor was measured and analyzed based on the results. This work also proposes a detection mechanism based on a Bloom filter combined with Generalized Likelihood Ratio Cumulative Sum (GLR-CUSUM) to adapt to evolving attack patterns. It was implemented and deployed against real attacks to evaluate its efficiency. We showed that the QUIC Protocol design has a much larger DDoS amplification factor compared to the TCP, which means QUIC is more vulnerable to handshake DDoS attacks. However the mechanism proposed is accurate and efficient in terms of resources.