Implement packet number skipping for attack detection and improve security (#5146)

nibanks · web-flow · commit d46ad00c1fde · 2025-06-07T09:47:17.000-04:00
diff --git a/src/core/loss_detection.c b/src/core/loss_detection.c
@@ -1329,6 +1329,22 @@ QuicLossDetectionProcessAckBlocks(
     uint32_t i = 0;
     QUIC_SUBRANGE* AckBlock;
     while ((AckBlock = QuicRangeGetSafe(AckBlocks, i++)) != NULL) {
+        //
+        // ATTACK DETECTION: Check if the skipped packet number is in this ACK
+        // block. If so, this indicates a potential injection attack.
+        //
+        if (Connection->Send.SkippedPacketNumber >= AckBlock->Low &&
+            Connection->Send.SkippedPacketNumber <= QuicRangeGetHigh(AckBlock)) {
+            QuicTraceLogConnError(
+                AttackDetected,
+                Connection,
+                "Attack detected: Skipped packet number %llu ACKed in range [%llu, %llu]",
+                Connection->Send.SkippedPacketNumber,
+                AckBlock->Low,
+                QuicRangeGetHigh(AckBlock));
+            QuicConnTransportError(Connection, QUIC_ERROR_PROTOCOL_VIOLATION);
+            return;
+        }
 
         //
         // Check to see if any packets in the LostPackets list are acknowledged,
diff --git a/src/core/packet_builder.c b/src/core/packet_builder.c
@@ -379,6 +379,27 @@ QuicPacketBuilderPrepare(
             Builder->Metadata->PacketId,
             Builder->BatchId);
 
+        //
+        // Occassionally skip a packet number for improved security.
+        //
+        if (Connection->Send.NextSkippedPacketNumber == Connection->Send.NextPacketNumber) {
+            Connection->Send.SkippedPacketNumber =
+                Connection->Send.NextPacketNumber++;
+            QuicTraceLogConnWarning(
+                SkipPacketNumber,
+                Connection,
+                "Skipped packet number %llu",
+                Connection->Send.SkippedPacketNumber);
+
+            //
+            // Randomly skip a packet number (from 0 to 65535).
+            //
+            uint16_t RandomSkip = 0;
+            CxPlatRandom(sizeof(RandomSkip), &RandomSkip);
+            Connection->Send.NextSkippedPacketNumber =
+                Connection->Send.NextPacketNumber + RandomSkip;
+        }
+
         Builder->Metadata->FrameCount = 0;
         Builder->Metadata->PacketNumber = Connection->Send.NextPacketNumber++;
         Builder->Metadata->Flags.KeyType = NewPacketKeyType;
diff --git a/src/core/send.c b/src/core/send.c
@@ -34,6 +34,21 @@ QuicSendInitialize(
 {
     CxPlatListInitializeHead(&Send->SendStreams);
     Send->MaxData = Settings->ConnFlowControlWindow;
+    Send->SkippedPacketNumber = UINT64_MAX;
+
+    //
+    // Randomize initial packet number between 0 and 256 for improved security.
+    // This makes it harder for attackers to predict packet numbers.
+    //
+    uint8_t RandomValue = 0;
+    CxPlatRandom(sizeof(RandomValue), &RandomValue);
+    Send->NextPacketNumber = RandomValue;
+
+    //
+    // Randomly skip a packet number (from 0 to 256).
+    //
+    CxPlatRandom(sizeof(RandomValue), &RandomValue);
+    Send->NextSkippedPacketNumber = Send->NextPacketNumber + RandomValue;
 }
 
 _IRQL_requires_max_(PASSIVE_LEVEL)
diff --git a/src/core/send.h b/src/core/send.h
@@ -267,6 +267,17 @@ typedef struct QUIC_SEND {
     //
     uint64_t NextPacketNumber;
 
+    //
+    // The current skipped packet number for attack detection. If this is
+    // acknowledged, it indicates an attack.
+    //
+    uint64_t SkippedPacketNumber;
+
+    //
+    // The next packet number we will skip for attack detection.
+    //
+    uint64_t NextSkippedPacketNumber;
+
     //
     // Last time send flush occurred. Used for pacing calculations.
     //
diff --git a/src/generated/linux/loss_detection.c.clog.h b/src/generated/linux/loss_detection.c.clog.h
@@ -18,6 +18,10 @@
 #define _clog_MACRO_QuicTraceLogVerbose  1
 #define QuicTraceLogVerbose(a, ...) _clog_CAT(_clog_ARGN_SELECTOR(__VA_ARGS__), _clog_CAT(_,a(#a, __VA_ARGS__)))
 #endif
+#ifndef _clog_MACRO_QuicTraceLogConnError
+#define _clog_MACRO_QuicTraceLogConnError  1
+#define QuicTraceLogConnError(a, ...) _clog_CAT(_clog_ARGN_SELECTOR(__VA_ARGS__), _clog_CAT(_,a(#a, __VA_ARGS__)))
+#endif
 #ifndef _clog_MACRO_QuicTraceLogConnInfo
 #define _clog_MACRO_QuicTraceLogConnInfo  1
 #define QuicTraceLogConnInfo(a, ...) _clog_CAT(_clog_ARGN_SELECTOR(__VA_ARGS__), _clog_CAT(_,a(#a, __VA_ARGS__)))
@@ -241,6 +245,30 @@ tracepoint(CLOG_LOSS_DETECTION_C, PacketTxProbeRetransmit , arg2, arg3);\
 
 
 
+/*----------------------------------------------------------
+// Decoder Ring for AttackDetected
+// [conn][%p] Attack detected: Skipped packet number %llu ACKed in range [%llu, %llu]
+// QuicTraceLogConnError(
+                AttackDetected,
+                Connection,
+                "Attack detected: Skipped packet number %llu ACKed in range [%llu, %llu]",
+                Connection->Send.SkippedPacketNumber,
+                AckBlock->Low,
+                QuicRangeGetHigh(AckBlock));
+// arg1 = arg1 = Connection = arg1
+// arg3 = arg3 = Connection->Send.SkippedPacketNumber = arg3
+// arg4 = arg4 = AckBlock->Low = arg4
+// arg5 = arg5 = QuicRangeGetHigh(AckBlock) = arg5
+----------------------------------------------------------*/
+#ifndef _clog_6_ARGS_TRACE_AttackDetected
+#define _clog_6_ARGS_TRACE_AttackDetected(uniqueId, arg1, encoded_arg_string, arg3, arg4, arg5)\
+tracepoint(CLOG_LOSS_DETECTION_C, AttackDetected , arg1, arg3, arg4, arg5);\
+
+#endif
+
+
+
+
 /*----------------------------------------------------------
 // Decoder Ring for HandshakeConfirmedAck
 // [conn][%p] Handshake confirmed (ack)
diff --git a/src/generated/linux/loss_detection.c.clog.h.lttng.h b/src/generated/linux/loss_detection.c.clog.h.lttng.h
@@ -247,6 +247,37 @@ TRACEPOINT_EVENT(CLOG_LOSS_DETECTION_C, PacketTxProbeRetransmit,
 
 
 
+/*----------------------------------------------------------
+// Decoder Ring for AttackDetected
+// [conn][%p] Attack detected: Skipped packet number %llu ACKed in range [%llu, %llu]
+// QuicTraceLogConnError(
+                AttackDetected,
+                Connection,
+                "Attack detected: Skipped packet number %llu ACKed in range [%llu, %llu]",
+                Connection->Send.SkippedPacketNumber,
+                AckBlock->Low,
+                QuicRangeGetHigh(AckBlock));
+// arg1 = arg1 = Connection = arg1
+// arg3 = arg3 = Connection->Send.SkippedPacketNumber = arg3
+// arg4 = arg4 = AckBlock->Low = arg4
+// arg5 = arg5 = QuicRangeGetHigh(AckBlock) = arg5
+----------------------------------------------------------*/
+TRACEPOINT_EVENT(CLOG_LOSS_DETECTION_C, AttackDetected,
+    TP_ARGS(
+        const void *, arg1,
+        unsigned long long, arg3,
+        unsigned long long, arg4,
+        unsigned long long, arg5), 
+    TP_FIELDS(
+        ctf_integer_hex(uint64_t, arg1, (uint64_t)arg1)
+        ctf_integer(uint64_t, arg3, arg3)
+        ctf_integer(uint64_t, arg4, arg4)
+        ctf_integer(uint64_t, arg5, arg5)
+    )
+)
+
+
+
 /*----------------------------------------------------------
 // Decoder Ring for HandshakeConfirmedAck
 // [conn][%p] Handshake confirmed (ack)
diff --git a/src/generated/linux/packet_builder.c.clog.h b/src/generated/linux/packet_builder.c.clog.h
@@ -47,6 +47,26 @@ tracepoint(CLOG_PACKET_BUILDER_C, NoSrcCidAvailable , arg1);\
 
 
 
+/*----------------------------------------------------------
+// Decoder Ring for SkipPacketNumber
+// [conn][%p] Skipped packet number %llu
+// QuicTraceLogConnWarning(
+                SkipPacketNumber,
+                Connection,
+                "Skipped packet number %llu",
+                Connection->Send.SkippedPacketNumber);
+// arg1 = arg1 = Connection = arg1
+// arg3 = arg3 = Connection->Send.SkippedPacketNumber = arg3
+----------------------------------------------------------*/
+#ifndef _clog_4_ARGS_TRACE_SkipPacketNumber
+#define _clog_4_ARGS_TRACE_SkipPacketNumber(uniqueId, arg1, encoded_arg_string, arg3)\
+tracepoint(CLOG_PACKET_BUILDER_C, SkipPacketNumber , arg1, arg3);\
+
+#endif
+
+
+
+
 /*----------------------------------------------------------
 // Decoder Ring for GetPacketTypeFailure
 // [conn][%p] Failed to get packet type for control frames, 0x%x
diff --git a/src/generated/linux/packet_builder.c.clog.h.lttng.h b/src/generated/linux/packet_builder.c.clog.h.lttng.h
@@ -20,6 +20,29 @@ TRACEPOINT_EVENT(CLOG_PACKET_BUILDER_C, NoSrcCidAvailable,
 
 
 
+/*----------------------------------------------------------
+// Decoder Ring for SkipPacketNumber
+// [conn][%p] Skipped packet number %llu
+// QuicTraceLogConnWarning(
+                SkipPacketNumber,
+                Connection,
+                "Skipped packet number %llu",
+                Connection->Send.SkippedPacketNumber);
+// arg1 = arg1 = Connection = arg1
+// arg3 = arg3 = Connection->Send.SkippedPacketNumber = arg3
+----------------------------------------------------------*/
+TRACEPOINT_EVENT(CLOG_PACKET_BUILDER_C, SkipPacketNumber,
+    TP_ARGS(
+        const void *, arg1,
+        unsigned long long, arg3), 
+    TP_FIELDS(
+        ctf_integer_hex(uint64_t, arg1, (uint64_t)arg1)
+        ctf_integer(uint64_t, arg3, arg3)
+    )
+)
+
+
+
 /*----------------------------------------------------------
 // Decoder Ring for GetPacketTypeFailure
 // [conn][%p] Failed to get packet type for control frames, 0x%x
diff --git a/src/manifest/clog.sidecar b/src/manifest/clog.sidecar
@@ -219,6 +219,30 @@
       ],
       "macroName": "QuicTraceLogConnInfo"
     },
+    "AttackDetected": {
+      "ModuleProperites": {},
+      "TraceString": "[conn][%p] Attack detected: Skipped packet number %llu ACKed in range [%llu, %llu]",
+      "UniqueId": "AttackDetected",
+      "splitArgs": [
+        {
+          "DefinationEncoding": "p",
+          "MacroVariableName": "arg1"
+        },
+        {
+          "DefinationEncoding": "llu",
+          "MacroVariableName": "arg3"
+        },
+        {
+          "DefinationEncoding": "llu",
+          "MacroVariableName": "arg4"
+        },
+        {
+          "DefinationEncoding": "llu",
+          "MacroVariableName": "arg5"
+        }
+      ],
+      "macroName": "QuicTraceLogConnError"
+    },
     "BindingCleanup": {
       "ModuleProperites": {},
       "TraceString": "[bind][%p] Cleaning up",
@@ -11525,6 +11549,22 @@
       ],
       "macroName": "QuicTraceLogStreamWarning"
     },
+    "SkipPacketNumber": {
+      "ModuleProperites": {},
+      "TraceString": "[conn][%p] Skipped packet number %llu",
+      "UniqueId": "SkipPacketNumber",
+      "splitArgs": [
+        {
+          "DefinationEncoding": "p",
+          "MacroVariableName": "arg1"
+        },
+        {
+          "DefinationEncoding": "llu",
+          "MacroVariableName": "arg3"
+        }
+      ],
+      "macroName": "QuicTraceLogConnWarning"
+    },
     "SockCreateFail": {
       "ModuleProperites": {},
       "TraceString": "[sock] Failed to create socket, status:%d",
@@ -14030,6 +14070,11 @@
         "TraceID": "ApplySettings",
         "EncodingString": "[conn][%p] Applying new settings"
       },
+      {
+        "UniquenessHash": "2577283e-0a65-186c-be40-d33b66b0062d",
+        "TraceID": "AttackDetected",
+        "EncodingString": "[conn][%p] Attack detected: Skipped packet number %llu ACKed in range [%llu, %llu]"
+      },
       {
         "UniquenessHash": "5d83e63e-7ce5-0102-8dd2-cbcf5946da2e",
         "TraceID": "BindingCleanup",
@@ -17500,6 +17545,11 @@
         "TraceID": "ShutdownImmediatePendingReliableReset",
         "EncodingString": "[strm][%p] Invalid immediate shutdown request (pending reliable reset)."
       },
+      {
+        "UniquenessHash": "2656ff28-78a8-28d2-b18f-0aa4ec664a0d",
+        "TraceID": "SkipPacketNumber",
+        "EncodingString": "[conn][%p] Skipped packet number %llu"
+      },
       {
         "UniquenessHash": "7b00c1b9-3578-872f-c41f-75bb4f92de18",
         "TraceID": "SockCreateFail",
