Home / Companies / Cloudflare / Blog / Post Details
Content Deep Dive

Defending QUIC from acknowledgement-based DDoS attacks

Blog post from Cloudflare

Post Details
Company
Date Published
Author
Apoorv Kothari and Louis Navarre (Guest author)
Word Count
2,222
Company Posts That Month
30
Language
English
Hacker News Points
-
Post removed?
No
Summary

In April 2025, Cloudflare addressed two security vulnerabilities (CVE-2025-4820 and CVE-2025-4821) within their open-source QUIC protocol implementation, quiche, which were identified through their Public Bug Bounty program. These vulnerabilities involved DDoS risks related to packet acknowledgement (ACK) handling, allowing potential attackers to exploit lack of ACK validation to artificially inflate send rates and gain unfair network advantages. The vulnerabilities, though not exploited, were promptly patched by Cloudflare, enhancing ACK range validation and implementing dynamic congestion window (CWND)-aware skip frequency to mitigate attacks like the Optimistic ACK attack. This approach ensures fairness and prevents malicious clients from leveraging network resources excessively. Cloudflare's proactive response also involved collaboration with researchers who disclosed the vulnerabilities, enabling the bolstering of security across multiple QUIC implementations.

Trends Found in this Post

No tracked trend matches for this post yet.

Use This Data

Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.