Ralith
commented
11 months ago Google's opinion is that QUIC is not vulnerable:
We do not believe these attack methods translate directly to HTTP/3 (QUIC) due to protocol differences, and Google does not currently see HTTP/3 used as a DDoS attack vector at scale.
In general, it's the application layer's responsibility to close connections engaging in behavior that abuses application-layer functionality like request handling.
djc
With the recent HTTP/2 zero day disclosure, I was wondering if a similar exploit vector might apply to QUIC and specifically if there’s any possible mitigations to apply within the stack, since my understanding is that HTTP/3 basically just moves all the HTTP/2 connection management code within the QUIC network stack.