Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use the dynamic table #33

Open
marten-seemann opened this issue Nov 18, 2023 · 5 comments
Open

use the dynamic table #33

marten-seemann opened this issue Nov 18, 2023 · 5 comments
Labels
enhancement New feature or request

Comments

@marten-seemann
Copy link
Member

The current QPACK implementation only uses the minimal feature set of QPACK (i.e. Huffman-encoding and static table). This guarantees interoperability with other QPACK implementations. However, it's not very efficient, since we'll never be able to compress headers that are sent repeatedly. This is where using the dynamic table would lead to significant savings.

See quic-go/quic-go#2424 for the quic-go tracking issue.
@marten-seemann marten-seemann added the enhancement New feature or request label Nov 18, 2023
@LinZiyuu
Copy link

LinZiyuu commented Jun 5, 2024

Hello, I'm looking for an HTTP/3 client that supports QPACK dynamic table compression, quic-go doesn't support dynamic tables right now right?

@marten-seemann
Copy link
Member Author

That's correct. Can you tell us a bit about your use case?

We could add support, but so far we haven't seen a lot of interest.

@LinZiyuu
Copy link

LinZiyuu commented Jun 6, 2024

We try to test that attacker can exploit QPACK to launch the Denial of Service attack in this senario.(Client<--> CDN/Reverse Proxy <-->Origin)

We think that it works by the client sending an QPACK compressed HTTP requests(dynamic table), then CDN decompressed HTTP requests and forwarding it to Origin.(Client<-Compressed HTTP requests-HTTP/3->CDN<-Decompressed HTTP requests-HTTP/1->Origin)

We have confirmed that attackers can exploit QPACK(static tables) launch the Denial of Service attak. But it have limited amplification factors.

I am a researcher focusing on CDN security and protocol security and will not exploit this vulnerability for malicious attacks. I just want to report this vulnerability to CDN vendors and Reverse Proxy developers after confirming it.

Refer to https://www.ndss-symposium.org/wp-content/uploads/24411-slides.pdf

@marten-seemann
Copy link
Member Author

Refer to https://www.ndss-symposium.org/wp-content/uploads/24411-slides.pdf

Interesting read. I'd expect your attack to work exactly as the HTTP/2 version. For the application, HPACK and QPACK are quite similar. Implementation-wise, QPACK is a lot more complex, since it has to deal with reordering between requests.

@LinZiyuu
Copy link

LinZiyuu commented Jun 6, 2024

Yes, QPACK is more complicated, so I've searched a lot of QPACK libraries that don't implement dynamic tables. Looking forward that quic-go can support dynamic tables.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marten-seemann @LinZiyuu