A hands-on gaze on HTTP/3 security through the lens of HTTP/2 and a public dataset

TL;DR

This paper reviews HTTP/2 attacks, explores their applicability to HTTP/3, evaluates attack effectiveness on popular servers, and provides a large, labeled dataset for future research using machine learning.

Contribution

It offers a comprehensive analysis of HTTP/2 attacks' transferability to HTTP/3, evaluates attack effectiveness on real servers, and releases a large dataset for advancing security research.

Findings

Identified at least one CVE with critical severity for HTTP/3.

Demonstrated attack effectiveness on six popular HTTP/3 servers.

Provided a large, labeled dataset for machine learning-based security analysis.

Abstract

Following QUIC protocol ratification on May 2021, the third major version of the Hypertext Transfer Protocol, namely HTTP/3, was published around one year later in RFC 9114. In light of these consequential advancements, the current work aspires to provide a full-blown coverage of the following issues, which to our knowledge have received feeble or no attention in the literature so far. First, we provide a complete review of attacks against HTTP/2, and elaborate on if and in which way they can be migrated to HTTP/3. Second, through the creation of a testbed comprising the at present six most popular HTTP/3-enabled servers, we examine the effectiveness of a quartet of attacks, either stemming directly from the HTTP/2 relevant literature or being entirely new. This scrutiny led to the assignment of at least one CVE ID with a critical base score by MITRE. No less important, by capitalizing on a realistic, abundant in devices testbed, we compiled a voluminous, labeled corpus containing traces of ten diverse attacks against HTTP and QUIC services. An initial evaluation of the dataset mainly by means of machine learning techniques is included as well. Given that the 30 GB dataset is made available in both pcap and CSV formats, forthcoming research can easily take advantage of any subset of features, contingent upon the specific network topology and configuration.