Company
Date Published
Author
Josephine Chow, June Slater, Bryton Herdes, Lucas Pardue
Word count
2112
Language
English
Hacker News points
None

Summary

Cloudflare recently discovered a broadcast amplification vulnerability in its QUIC Internet measurement research through an anonymous security researcher group. The team collaborated with the researchers and implemented a mitigation to secure their infrastructure. The vulnerability was triggered by sending a QUIC Initial packet to one of Cloudflare's broadcast addresses, which resulted in a large response, exceeding the RFC's 3x amplification limit. The issue arose because the QUIC protocol's broadcast functionality, combined with the use of anycast prefixes and socket options like SO_REUSEPORT, allowed an attacker to amplify traffic sent to the broadcast address, potentially causing a denial-of-service (DoS) attack. To mitigate this vulnerability, Cloudflare removed the route itself from their deployment system, ensuring that all broadcast routes attached to the loopback interface are treated no differently than any other address in the range, effectively preventing amplification attacks. The incident highlights the importance of assessing systems for configurations that may present a local amplification attack vector and encourages network administrators and security professionals to take proactive measures to secure their infrastructure.