Images: Citrix // Composition: ZDNet
Threat agents have found a way to bounce and amplify junk web traffic against Citrix ADC network equipment to launch DDoS attacks.
While details about the attackers are still unknown, the victims of these Citrix-based DDoS attacks mainly included online gaming services, such as Steam and Xbox, sources told ZDNet earlier today.
The first of these attacks was detected last week and documented by German IT systems administrator Marco Hofmann.
Hofmann tracked down the problem with the DTLS interface on Citrix ADC devices.
DTLS, or Datagram Transport Layer Security, is another version of the TLS protocol implemented in the flow-friendly UDP transfer protocol, instead of the more reliable TCP.
Like all UDP-based protocols, DTLS is spoofable and can be used as a DDoS amplification vector.
This means that attackers can send small DTLS packets to the DTLS-compliant device and have the result returned in a much larger packet to a spoofed IP address (the victim of the DDoS attack).
How many times the original package is expanded determines the amplification factor for a specific protocol. For DDoS attacks based on previous DTLS, the amplification factor was usually 4 or 5 times the original packet.
But on Monday, Hofmann reported that the implementation of DTLS on Citrix ADC devices appears to be yielding 35, making it one of the most powerful DDoS amplification vectors.
Citrix confirms problem
This morning, after several reports, Citrix also confirmed the problem and promised to release a fix after the winter break in mid-January 2020.
The company said it saw the DDoS attack vector being abused against “a small number of customers worldwide”.
The problem is considered dangerous for IT administrators, due to costs and issues related to uptime, instead of the security of their devices.
As attackers abuse a Citrix ADC device, they can end up depleting their upstream bandwidth, creating additional costs and blocking legitimate ADC activities.
Until Citrix prepared mitigations for employees, two temporary solutions emerged.
The first is to disable the Citrix ADC DTLS interface if it is not used.
Citrix ADC
If you are affected by this attack, you can disable DTLS to stop it. Disabling the DTLS protocol will lead to limited performance degradation, a brief freeze and a fallback.
Run the following CLI command on the Citrix ADC:
set vpn vserver-dtls OFF https://t.co/Tpdnp8k9y3 – Thorsten E. (@ endi24) December 24, 2020
If the DTLS interface is required, forcing the device to authenticate the incoming DTLS connections is recommended, although this can degrade the device’s performance.
If you are using Citrix ADC and have enabled DTLS / EDT (UDP via port 443), you may need to run this command: “set ssl dtlsProfile nsdtls_default_profile -helloVerifyRequest ENABLED”. This will prevent you from future UDP amplification attacks. #NetScaler #CitrixADC
– Anton van Pelt (@AntonvanPelt) December 21, 2020
In fact, the vast majority of deployments will become unstable with this. To be safe until January, it is best to block UDP.
– Thorsten Rood (@ThorstenRood) December 22, 2020