QUIC Traffic Identification in Kernel Space

QUIC is a transport-layer protocol that encrypts most headers and all payload data, encapsulating them in UDP to provide security and low latency. However, this encryption and encapsulation pose challenges for kernel-level network and security monitoring. To address this, we present LinkQUIC, the first heuristic-based system that identifies and classifies QUIC traffic at both kernel-space endpoints and middleboxes. LinkQUIC analyzes unencrypted QUIC header fields and leverages gaps in existing QUIC implementations, particularly during connection migration and path changes where behavior does not fully comply with RFC 9000’s privacy-preserving guidelines. Unlike user space tools, By leveraging eBPF, LinkQUIC operates entirely in kernel space without requiring kernel modifications, encryption keys or prior knowledge of specific QUIC deployments. We evaluate LinkQUIC in real-world environments and demonstrate its effectiveness in identifying QUIC traffic, including complex migration scenarios, with minimal overhead.