loke.dev
Header image for What Nobody Tells You About HTTP/3: Why Your 'Faster' Protocol Is Secretly Triggering UDP Throttling

What Nobody Tells You About HTTP/3: Why Your 'Faster' Protocol Is Secretly Triggering UDP Throttling

Transitioning to QUIC isn't always a performance win; learn why network middleboxes and ISP 'UDP policing' might be turning your protocol upgrade into a hidden bottleneck.

· 5 min read

You’ve been told that moving to HTTP/3 is a "free upgrade" for your latency, but for a significant chunk of your users, you might have just accidentally throttled their connection back to 2005 speeds. While the industry is rushing to embrace QUIC for its promise of zero round-trip handshakes and the end of head-of-line blocking, the "boring" parts of the internet—firewalls, ISPs, and corporate middleboxes—are often working actively against you.

The UDP Tax: Why "Better" Can Be Slower

HTTP/3 runs over QUIC, which in turn runs over UDP. For decades, the internet was a TCP world. Firewalls were built to understand TCP state machines. They know when a connection starts, how it flows, and when it ends. UDP, on the other hand, was historically the "wild west"—used for DNS, simple NTP pings, or maybe a frantic burst of gaming packets.

Because UDP is connectionless, many network administrators treat large volumes of UDP traffic with extreme suspicion. To a $500 enterprise firewall sitting in a branch office, a massive stream of incoming UDP packets doesn't look like a modern web protocol; it looks like a DNS amplification attack or a DDoS attempt in progress.

When these middleboxes get scared, they do one of two things:
1. Drop the packets entirely, forcing your browser to timeout and fall back to TCP.
2. Rate-limit or "police" the traffic, capping UDP throughput to a fraction of the available bandwidth.

Real Talk: How ISPs "Police" Your Traffic

I’ve seen cases where a site’s P99 latency actually *spiked* after enabling HTTP/3. The culprit? ISP traffic shaping. Some consumer ISPs use a strategy called "UDP Policing." They allocate a specific bucket of bandwidth for UDP traffic. Once your high-definition QUIC stream hits that limit, the ISP starts dropping packets indiscriminately.

Because QUIC handles its own congestion control, it sees these drops and thinks the network is congested, so it slows down. You end up in a spiral where your "faster" protocol is being artificially strangled while a "slower" TCP connection would have sailed right through the shaping rules.

How to Tell if You're Getting Screwed

You can’t just trust the h3 tag in your DevTools. You need to see if the connection is actually performing. If you want to test this programmatically, you can use a tool like quic-go or even a simple Python script to compare the raw throughput of a UDP stream vs a TCP stream to the same endpoint.

Here is a quick-and-dirty Go snippet to check if you can even establish a QUIC session to your server before you start betting your performance metrics on it:

package main

import (
	"context"
	"crypto/tls"
	"fmt"
	"net/http"
	"time"

	"github.com/quic-go/quic-go/http3"
)

func main() {
	url := "https://your-api-endpoint.com"

	// We use a custom RoundTripper for H3
	roundTripper := &http3.RoundTripper{
		TLSClientConfig: &tls.Config{
			InsecureSkipVerify: false,
		},
	}
	defer roundTripper.Close()

	client := &http.Client{
		Transport: roundTripper,
		Timeout:   time.Second * 5,
	}

	start := time.Now()
	resp, err := client.Get(url)
	if err != nil {
		fmt.Printf("❌ QUIC failed: %v\n", err)
		return
	}
	defer resp.Body.Close()

	fmt.Printf("✅ Success! Protocol: %s, Latency: %v\n", resp.Proto, time.Since(start))
}

If this consistently times out while a standard curl works instantly, your network (or your user's network) is eating your UDP packets for breakfast.

The Nginx Trap: Don't Just Enable It

If you’re using Nginx, enabling HTTP/3 is more than just adding a listen directive. You have to tell the browser that HTTP/3 is even an option via the Alt-Svc header. But here’s the kicker: if you set the ma (max-age) too high, and a user moves from a "QUIC-friendly" network to a "UDP-throttling" network, their browser might keep trying to force a broken H3 connection.

Here is a safer way to configure your Nginx block to allow for a graceful transition:

server {
    # Listen on both TCP (H2) and UDP (H3)
    listen 443 quic reuseport;
    listen 443 ssl;
    http2 on;

    # The magic header that tells the browser H3 exists
    # Start with a low 'ma' (max-age) like 60 seconds while testing
    add_header Alt-Svc 'h3=":443"; ma=60';

    # Optional: Add a custom header to track which protocol was used
    add_header X-Protocol $server_protocol;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # ... rest of your config
}

Pro tip: By using a low ma=60, you ensure that if things go sideways, the browser will stop trying to use QUIC after a minute rather than being stuck in "QUIC-failure-land" for days.

Designing for "Happy Eyeballs"

The solution to the UDP throttling problem isn't to abandon HTTP/3; it's to implement a "Happy Eyeballs" style approach (RFC 8305). Your client-side logic should never assume QUIC is available.

Modern browsers do this natively—they attempt a QUIC connection and a TCP connection in parallel (or with a slight delay) and pick the winner. But if you are building a mobile app or a dedicated client using libraries like cronet or okverify, you need to be careful.

If you force QUIC and the ISP is policing UDP to 1Mbps, your app will feel sluggish, but it won't "fail," so your error logs will look perfectly green. You need to log the actual protocol used alongside transfer speed in your telemetry.

The Bottom Line

HTTP/3 is an incredible feat of engineering, but it’s operating in a physical world full of legacy hardware that thinks UDP is "just for pings."

Before you roll out QUIC globally:
1. Audit your middleboxes. If you’re in a corporate environment, check if the firewalls are doing deep packet inspection (DPI) on UDP port 443.
2. Monitor the "Fallback Ratio." Track how many users start on H3 but end up on H2.
3. Check for "Silent Throttling." Don't just look at connection success; look at the throughput. If your H2 connections are consistently 2x faster than your H3 connections, you’re being policed.

Don't let the hype around a protocol upgrade blind you to the reality of the wire. Sometimes, the "older" way is the only way to get through a stubborn router.