Software Engineering Institute

This presentation was given at FloCon 2023, an annual conference that focuses on applying any and all collected data to defend enterprise networks.

The QUIC protocol creates new challenges for network defense by encrypting most of its data, but it is nonetheless still possible to extract some metadata and identify client applications through fingerprinting. The QUIC standard encrypts headers with fixed but unregistered symmetric keys, which must be decrypted by passive security monitors. Some implementations randomly fragment data elements within the initial packet, and some additionally randomize the order of data elements, which further complicates QUIC monitoring. This presentation details these mechanisms, and describes how we worked around them to develop a client application fingerprinting method for the mercury open source package. It also reports on large-scale observations of QUIC on enterprise networks, which fused data from both host and network sources to provide a detailed view. Insights include client application behaviors, the application layer protocols negotiated (which include DNS and SMB over QUIC), pre-standard versions of the protocol, and QUIC features like version negotiation and the user-agent string. Since its standardization in 2021, QUIC use has become commonplace by big tech companies, and by some privacy-oriented software vendors, but fortunately not yet by malware implementers.

Attendees will better understand the QUIC protocol, how it is currently used, how it facilitates some evasive network behaviors, and how it is possible to extract some useful metadata from the protocol and fingerprint client applications.