Fortinet black logo

Handbook

6.5.1
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1

QUIC Profile

QUIC Profile

QUIC Overview

QUIC is now the IETF-ratified version of TLS over UDP (Port 443, usually).

Since QUIC uses UDP, there is no validation of the Source IP. QUIC attempts to overcome this by sending either a Response Initial or a Retry message from the server to the client. The Response Initial packet can be large and there is some risk that QUIC servers (> 1.2M @ 2022/06) will be exploited to reflect Response Initial packets at targets. All users can be victims of reflected QUIC floods.

Users of QUIC servers can be victims of malformed floods and used as reflectors to other targets.

FortiDDoS provides the following mitigations:

  • QUIC Profile — as described in this page.
  • QUIC Service Ports — for monitoring ports other than 443 if you have QUIC servers using non-standard ports. For more information, see Configuring Service Protection Policies.
  • Three QUIC Scalar Thresholds. For more information, see Thresholds View:
    • QUIC Request Initial
    • QUIC Request Initial per Source
    • QUIC Response Initial per Destination

Use Case

Use the QUIC Profile to configure various QUIC anomalies and Reflection Deny (for symmetric traffic only).

The same QUIC Profile can be used by multiple SPPs but any SPP can only use one QUIC profile at a time.

You can create a maximum of 64 QUIC Profiles.

Parameter

Description
Initial Packet Check The QUIC initial packet must be at least 1200 Bytes and not fragmented.
Version Check

QUIC Version number must be:

  • 1 (from a server or a client)

  • 0 (from a server)

  • 0x?A?A?A?A (from a client)

Versions in the wrong direction or not shown above are dropped.
Strict anomalies Check

The following anomalies are checked:

  • Long header payload > 6 Bytes.

  • Short header payload is shorter than 3 Bytes.

  • Connection ID + Token (Initial packet) matches correctly with the payload size above.
Version Negotiation Deny

Version Renegotiation is not supported in the current QUIC RFC but the field is available to use. If this field contains version negotiation data, the packet is dropped.
Reflection Deny

Note: Use with Symmetric Traffic Only.

FortiDDoS records outbound Request Initial packets in the QUIC Session Table (2M-32M – See Dashboard > Data Path Resources panel). On receipt of a matching inbound Response Initial packet, the entry is cleared and the Response Initial packet is allowed to pass. Any unsolicited DTLS Response Initial packet is dropped.

With asymmetric traffic, FortiDDoS may not see outbound Request Initial Packets and will drop legitimate Response Initial packets if this option is enabled.

For asymmetric traffic (Global Protection > Deployment > Asymmetric Mode), use QUIC Response Initial per Destination Threshold (Service Protection > Service Protection Policies > Select SPP > Thresholds Tab > Scalars > Create New > scroll to QUIC Response Initial per Destination).
Previous
Next

QUIC Profile

QUIC Overview

QUIC is now the IETF-ratified version of TLS over UDP (Port 443, usually).

Since QUIC uses UDP, there is no validation of the Source IP. QUIC attempts to overcome this by sending either a Response Initial or a Retry message from the server to the client. The Response Initial packet can be large and there is some risk that QUIC servers (> 1.2M @ 2022/06) will be exploited to reflect Response Initial packets at targets. All users can be victims of reflected QUIC floods.

Users of QUIC servers can be victims of malformed floods and used as reflectors to other targets.

FortiDDoS provides the following mitigations:

  • QUIC Profile — as described in this page.
  • QUIC Service Ports — for monitoring ports other than 443 if you have QUIC servers using non-standard ports. For more information, see Configuring Service Protection Policies.
  • Three QUIC Scalar Thresholds. For more information, see Thresholds View:
    • QUIC Request Initial
    • QUIC Request Initial per Source
    • QUIC Response Initial per Destination

Use Case

Use the QUIC Profile to configure various QUIC anomalies and Reflection Deny (for symmetric traffic only).

The same QUIC Profile can be used by multiple SPPs but any SPP can only use one QUIC profile at a time.

You can create a maximum of 64 QUIC Profiles.

Parameter

Description
Initial Packet Check The QUIC initial packet must be at least 1200 Bytes and not fragmented.
Version Check

QUIC Version number must be:

  • 1 (from a server or a client)

  • 0 (from a server)

  • 0x?A?A?A?A (from a client)

Versions in the wrong direction or not shown above are dropped.
Strict anomalies Check

The following anomalies are checked:

  • Long header payload > 6 Bytes.

  • Short header payload is shorter than 3 Bytes.

  • Connection ID + Token (Initial packet) matches correctly with the payload size above.
Version Negotiation Deny

Version Renegotiation is not supported in the current QUIC RFC but the field is available to use. If this field contains version negotiation data, the packet is dropped.
Reflection Deny

Note: Use with Symmetric Traffic Only.

FortiDDoS records outbound Request Initial packets in the QUIC Session Table (2M-32M – See Dashboard > Data Path Resources panel). On receipt of a matching inbound Response Initial packet, the entry is cleared and the Response Initial packet is allowed to pass. Any unsolicited DTLS Response Initial packet is dropped.

With asymmetric traffic, FortiDDoS may not see outbound Request Initial Packets and will drop legitimate Response Initial packets if this option is enabled.

For asymmetric traffic (Global Protection > Deployment > Asymmetric Mode), use QUIC Response Initial per Destination Threshold (Service Protection > Service Protection Policies > Select SPP > Thresholds Tab > Scalars > Create New > scroll to QUIC Response Initial per Destination).
Previous
Next