Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider packet replay/injection attacks #1

Closed
tfpauly opened this issue Jul 2, 2020 · 1 comment
Closed

Consider packet replay/injection attacks #1

tfpauly opened this issue Jul 2, 2020 · 1 comment
Assignees
@tfpauly @chris-wood

Comments

@tfpauly
Copy link
Collaborator

tfpauly commented Jul 2, 2020

When forwarding for a given CID, the proxy can very simply process a packet without doing any decryption. However, this means the packet may not be valid (it could be a replay, or a packet injected by someone spoofing the IP addresses and CID).

Since the proxy is acting effectively as a router, this might be acceptable. However:

  • When the target/origin receives bogus or duplicate QUIC packets, it may be forced to rate-limit traffic from the proxy that forwarded the bad traffic
  • The proxy is being made to do work of forwarding packets. If that is more expensive than something that could be done simply to validate the packet (signed hash of the packet, say), then it may be preferable to do some validation.
@tfpauly
Copy link
Collaborator Author

tfpauly commented Feb 6, 2025

Now that we have scramble, etc, our discussion of possible attacks is much more robust. We don't prevent active attacks, but the implications are explained in detail.

@tfpauly tfpauly closed this as completed Feb 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tfpauly tfpauly

@chris-wood chris-wood

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tfpauly @chris-wood