-Datagram based protocols can be susceptible to Denial of Service attacks. A
-DTLS attacker could, for example, submit a series of handshake initiation
-requests that cause the server to allocate state (and possibly perform
-cryptographic operations) thus consuming server resources. The attacker could
-also (with UDP) quite simply forge the source IP address in such an attack.
-
-As a counter measure to that DTLS includes a stateless cookie mechanism. The
-idea is that when a client attempts to connect to a server it sends a
-ClientHello message. The server responds with a HelloVerifyRequest which
-contains a unique cookie. The client then resends the ClientHello, but this time
-includes the cookie in the message thus proving that the client is capable of
-receiving messages sent to that address. All of this can be done by the server
-without allocating any state, and thus without consuming expensive resources.
-
-OpenSSL implements this capability via the DTLSv1_listen() function. The B<ssl>
-parameter should be a newly allocated SSL object with its read and write BIOs
-set, in the same way as might be done for a call to SSL_accept(). Typically the
-read BIO will be in an "unconnected" state and thus capable of receiving
-messages from any peer.
+Some transport protocols (such as UDP) can be susceptible to amplification
+attacks. Unlike TCP there is no initial connection setup in UDP that
+validates that the client can actually receive messages on its advertised source
+address. An attacker could forge its source IP address and then send handshake
+initiation messages to the server. The server would then send its response to
+the forged source IP. If the response messages are larger than the original
+message then the amplification attack has succeeded.
+
+If DTLS is used over UDP (or any datagram based protocol that does not validate
+the source IP) then it is susceptible to this type of attack. TLSv1.3 is
+designed to operate over a stream-based transport protocol (such as TCP).
+If TCP is being used then there is no need to use SSL_stateless(). However some
+stream-based transport protocols (e.g. QUIC) may not validate the source
+address. In this case a TLSv1.3 application would be susceptible to this attack.
+
+As a countermeasure to this issue TLSv1.3 and DTLS include a stateless cookie
+mechanism. The idea is that when a client attempts to connect to a server it
+sends a ClientHello message. The server responds with a HelloRetryRequest (in
+TLSv1.3) or a HelloVerifyRequest (in DTLS) which contains a unique cookie. The
+client then resends the ClientHello, but this time includes the cookie in the
+message thus proving that the client is capable of receiving messages sent to
+that address. All of this can be done by the server without allocating any
+state, and thus without consuming expensive resources.
+
+OpenSSL implements this capability via the SSL_stateless() and DTLSv1_listen()
+functions. The B<ssl> parameter should be a newly allocated SSL object with its
+read and write BIOs set, in the same way as might be done for a call to
+SSL_accept(). Typically, for DTLS, the read BIO will be in an "unconnected"
+state and thus capable of receiving messages from any peer.