Defending QUIC from acknowledgement-based DDoS attacks
Blog post from Cloudflare
In April 2025, Cloudflare addressed two security vulnerabilities (CVE-2025-4820 and CVE-2025-4821) within their open-source QUIC protocol implementation, quiche, which were identified through their Public Bug Bounty program. These vulnerabilities involved DDoS risks related to packet acknowledgement (ACK) handling, allowing potential attackers to exploit lack of ACK validation to artificially inflate send rates and gain unfair network advantages. The vulnerabilities, though not exploited, were promptly patched by Cloudflare, enhancing ACK range validation and implementing dynamic congestion window (CWND)-aware skip frequency to mitigate attacks like the Optimistic ACK attack. This approach ensures fairness and prevents malicious clients from leveraging network resources excessively. Cloudflare's proactive response also involved collaboration with researchers who disclosed the vulnerabilities, enabling the bolstering of security across multiple QUIC implementations.
No tracked trend matches for this post yet.
Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.