On 7/30/2024 5:52 PM, Paul Vixie wrote:
Do we know a reason why the system's behavior won't move beyond the new limit the same way it moved beyond the old one? If it's some bizarre kind of leaky bucket let's have the showdown now rather than later when everything is larger and ossification has begun.
The concern is that the wily hackers will send a single UDP "initial" packet to a server, and the the server will reply with a complete flight of packets including key exchanges, parameters and certificates. Send 1.2KB to the server, see the server send back 5, 6 or maybe 10 packets to the source IP of the UDP packet. With that the DDOS attack has been "amplified" 5, 6 or maybe 10 times.
The amplification limit is there to limit the usefulness of QUIC servers for these DDOS attackers. The value 3 was chosen because with "reasonable" configurations the server's first flight fits in 2 or 3 packets, and that there are many UDP services that provide more than 3x amplification (see https://www.cisa.gov/news-events/alerts/2014/01/17/udp-based-amplification-attacks).
But if we loosen the QUIC amplification limit while other services are tightening, that situation will change.
-- Christian Huitema
