Images: Citrix // Composition: ZDNet
Threat actors have discovered a way to bounce and amplify junk web traffic against Citrix ADC networking equipment to launch DDoS attacks.
While details about the attackers are still unknown, victims of these Citrix-based DDoS attacks have mostly included online gaming services, such as Steam and Xbox, sources have told ZDNet earlier today.
The first of these attacks have been detected last week and documented by German IT systems administrator Marco Hofmann.
Hofmann tracked the issue to the DTLS interface on Citrix ADC devices.
DTLS, or Datagram Transport Layer Security, is a more version of the TLS protocol implemented on the stream-friendly UDP transfer protocol, rather than the more reliable TCP.
Just like all UDP-based protocols, DTLS is spoofable and can be used as a DDoS amplification vector.
What this means is that attackers can send small DTLS packets to the DTLS-capable device and have the result returned in a many times larger packet to a spoofed IP address (the DDoS attack victim).
How many times the original packet is enlarged determines the amplification factor of a specific protocol. For past DTLS-based DDoS attacks, the amplification factor was usually 4 or 5 times the original packet.
But, on Monday, Hofmann reported that the DTLS implementation on Citrix ADC devices appears to be yielding a whopping 35, making it one of the most potent DDoS amplification vectors.
Citrix confirms issue
Earlier today, after several reports, Citrix has also confirmed the issue and promised to release a fix after the winter holidays, in mid-January 2020.
The company said it’s seen the DDoS attack vector being abused against “a small number of customers around the world.”
The issue is considered dangerous for IT administrators, for costs and uptime-related issues rather than the security of their devices.
As attackers abuse a Citrix ADC device, they might end up exhausting its upstream bandwidth, creating additional costs and blocking legitimate activity from the ADC.
Until Citrix readies officials mitigations, two temporary fixes have emerged.
The first is to disable the Citrix ADC DTLS interface if not used.
Citrix ADC
If you are impacted by this attack you can disable DTLS to stop it. Disabling the DTLS protocol will lead to limited performance degradation, a short freeze and to a fallback.
Run following CLI command on Citrix ADC:
set vpn vserver <vpn_vserver_name> -dtls OFF https://t.co/Tpdnp8k9y3— Thorsten E. (@endi24) December 24, 2020
If the DTLS interface is needed, forcing the device to authenticate incoming DTLS connections is recommended, although it may degrade the device’s performance as a result.
If you are making use of Citrix ADC and have enabled DTLS/EDT (UDP via port 443) you might need to run this command: “set ssl dtlsProfile nsdtls_default_profile -helloVerifyRequest ENABLED”. This will prevent you from future UDP amplification attacks. #NetScaler #CitrixADC
— Anton van Pelt (@AntonvanPelt) December 21, 2020
Actually the vast majority of deploys will become unstable with that. To be safe until January, better block UDP.
— Thorsten Rood (@ThorstenRood) December 22, 2020
