Paper accepted at DSN'25

21 March 2025, by Mathias Fischer

Photo: https://dsn2025.github.io/

We are happy to announce that our paper, "QUIC-Aware Load Balancing: Attacks and Mitigations", was accepted for publication at the 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN '25).

In this paper, we have presented attacks against insecure encoding schemes and the handling of QUIC's connection identifiers for load balancing. These attacks can be used to obtain the number of front-end servers of CDN providers and to allow tracking of users when migrating connections. We also propose countermeasures that ultimately enable secure and QUIC(k) load balancing.

We look forward to presenting our findings at the conference in Naples, Italy (June 23-26, 2025) and seek an exchange with international researchers.

Paper abstract

QUIC is widely used on the web and is seen as a successor to TCP, with significant improvements to speed, reliability, and security. However, as IP addresses and ports no longer identify QUIC connections but use Connection Identifiers (CIDs), load balancing becomes challenging. In this work, we introduce two novel attacks for revealing the server count behind QUIC-aware load balancers and breaking the unlinkability guarantees that prevent tracking of structured CIDs. We conducted tests on real-world deployments to assess the feasibility of existing and novel attacks. Our results indicate that our attack is more effective in estimating the number of servers behind load balancers than existing work. Furthermore, the data of our second novel attack suggests that almost all observed load balancers are vulnerable, allowing user tracking across networks. This work also introduces novel countermeasures to mitigate these attacks while being faster than existing approaches for enabling secure load balancing.