Aioquic may infinitely receive CRYPTO frames within a single connection, rapidly depleting memory and subsequently being forcefully closed by the operating system, leading to a denial of service attack.
In line 1613 of quic/connection.py, the server only checks offset + length < 2^62 - 1 when processing CRYPTO frames, and then stores their contents in QuicConnection._crypto_streams[Epoch.ONE_RTT] , resulting in memory consumption.
To validate the effect, I simulated an attacker sending CRYPTO frames with an Offset set to 0x1000, but with a length of only 0x200 to prevent some memory merging operations. As shown in the graph, within the 90s of the attack occurrence, aioquic consumed 100GB of memory and will be killed soon by the operating system.
CRYPTO
frames within a single connection, rapidly depleting memory and subsequently being forcefully closed by the operating system, leading to a denial of service attack.quic/connection.py
, the server only checksoffset + length < 2^62 - 1
when processingCRYPTO
frames, and then stores their contents inQuicConnection._crypto_streams[Epoch.ONE_RTT]
, resulting in memory consumption.CRYPTO
frames with an Offset set to 0x1000, but with a length of only 0x200 to prevent some memory merging operations. As shown in the graph, within the 90s of the attack occurrence, aioquic consumed 100GB of memory and will be killed soon by the operating system.