QUIC’s connection ID issuance mechanism is vulnerable to a resource exhaustion attack similar to the recently reported attack against QUIC’s path validation mechanism. I discovered this vulnerability in December 2023 and disclosed it to the IETF QUIC working group. Among 17 QUIC stacks surveyed, 11 were found vulnerable, including my own (quic-go), Cloudflare quiche, Neqo (Mozilla), lsquic (LiteSpeed) and MsQuic (Microsoft). Due to the large number of affected implementations, and the len...
