Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    6.5.0
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    QUIC Profile

    QUIC Profile

    QUIC Overview

    QUIC is now the IETF-ratified version of TLS over UDP (Port 443, usually).

    Since QUIC uses UDP, there is no validation of the Source IP. QUIC attempts to overcome this by sending either a Response Initial or a Retry message from the server to the client. The Response Initial packet can be large and there is some risk that QUIC servers (> 1.2M @ 2022/06) will be exploited to reflect Response Initial packets at targets. All users can be victims of reflected QUIC floods.

    Users of QUIC servers can be victims of malformed floods and used as reflectors to other targets.

    FortiDDoS provides the following mitigations:

    • QUIC Profile — as described in this page.
    • QUIC Service Ports — for monitoring ports other than 443 if you have QUIC servers using non-standard ports. For more information, see Configuring Service Protection Policies.
    • Three QUIC Scalar Thresholds. For more information, see Thresholds View:
      • QUIC Request Initial
      • QUIC Request Initial per Source
      • QUIC Response Initial per Destination

    Use Case

    Use the QUIC Profile to configure various QUIC anomalies and Reflection Deny (for symmetric traffic only).

    The same QUIC Profile can be used by multiple SPPs but any SPP can only use one QUIC profile at a time.

    You can create a maximum of 64 QUIC Profiles.

    Parameter

    Description
    Initial Packet Check The QUIC initial packet must be at least 1200 Bytes and not fragmented.
    Version Check

    QUIC Version number must be:

    • 1 (from a server or a client)

    • 0 (from a server)

    • 0x?A?A?A?A (from a client)

    Versions in the wrong direction or not shown above are dropped.
    Strict anomalies Check

    The following anomalies are checked:

    • Long header payload > 6 Bytes.

    • Short header payload is shorter than 3 Bytes.

    • Connection ID + Token (Initial packet) matches correctly with the payload size above.
    Version Negotiation Deny

    Version Renegotiation is not supported in the current QUIC RFC but the field is available to use. If this field contains version negotiation data, the packet is dropped.
    Reflection Deny

    Note: Use with Symmetric Traffic Only.

    FortiDDoS records outbound Request Initial packets in the QUIC Session Table (2M-32M – See Dashboard > Data Path Resources panel). On receipt of a matching inbound Response Initial packet, the entry is cleared and the Response Initial packet is allowed to pass. Any unsolicited DTLS Response Initial packet is dropped.

    With asymmetric traffic, FortiDDoS may not see outbound Request Initial Packets and will drop legitimate Response Initial packets if this option is enabled.

    For asymmetric traffic (Global Protection > Deployment > Asymmetric Mode), use QUIC Response Initial per Destination Threshold (Service Protection > Service Protection Policies > Select SPP > Thresholds Tab > Scalars > Create New > scroll to QUIC Response Initial per Destination).
    Previous
    Next

    QUIC Profile

    QUIC Profile

    QUIC Overview

    QUIC is now the IETF-ratified version of TLS over UDP (Port 443, usually).

    Since QUIC uses UDP, there is no validation of the Source IP. QUIC attempts to overcome this by sending either a Response Initial or a Retry message from the server to the client. The Response Initial packet can be large and there is some risk that QUIC servers (> 1.2M @ 2022/06) will be exploited to reflect Response Initial packets at targets. All users can be victims of reflected QUIC floods.

    Users of QUIC servers can be victims of malformed floods and used as reflectors to other targets.

    FortiDDoS provides the following mitigations:

    • QUIC Profile — as described in this page.
    • QUIC Service Ports — for monitoring ports other than 443 if you have QUIC servers using non-standard ports. For more information, see Configuring Service Protection Policies.
    • Three QUIC Scalar Thresholds. For more information, see Thresholds View:
      • QUIC Request Initial
      • QUIC Request Initial per Source
      • QUIC Response Initial per Destination

    Use Case

    Use the QUIC Profile to configure various QUIC anomalies and Reflection Deny (for symmetric traffic only).

    The same QUIC Profile can be used by multiple SPPs but any SPP can only use one QUIC profile at a time.

    You can create a maximum of 64 QUIC Profiles.

    Parameter

    Description
    Initial Packet Check The QUIC initial packet must be at least 1200 Bytes and not fragmented.
    Version Check

    QUIC Version number must be:

    • 1 (from a server or a client)

    • 0 (from a server)

    • 0x?A?A?A?A (from a client)

    Versions in the wrong direction or not shown above are dropped.
    Strict anomalies Check

    The following anomalies are checked:

    • Long header payload > 6 Bytes.

    • Short header payload is shorter than 3 Bytes.

    • Connection ID + Token (Initial packet) matches correctly with the payload size above.
    Version Negotiation Deny

    Version Renegotiation is not supported in the current QUIC RFC but the field is available to use. If this field contains version negotiation data, the packet is dropped.
    Reflection Deny

    Note: Use with Symmetric Traffic Only.

    FortiDDoS records outbound Request Initial packets in the QUIC Session Table (2M-32M – See Dashboard > Data Path Resources panel). On receipt of a matching inbound Response Initial packet, the entry is cleared and the Response Initial packet is allowed to pass. Any unsolicited DTLS Response Initial packet is dropped.

    With asymmetric traffic, FortiDDoS may not see outbound Request Initial Packets and will drop legitimate Response Initial packets if this option is enabled.

    For asymmetric traffic (Global Protection > Deployment > Asymmetric Mode), use QUIC Response Initial per Destination Threshold (Service Protection > Service Protection Policies > Select SPP > Thresholds Tab > Scalars > Create New > scroll to QUIC Response Initial per Destination).
    Previous
    Next