Citrix Updates ADC Products to Help Block DDoS AttacksCompany Says Enhancement Will Block Attackers From Abusing DTLS
Citrix is urging customers to implement a newly provided enhancement to its ADC and Gateway devices that is designed to block attackers from abusing the Datagram Transport Layer Security, or DTLS, protocol to amplify distributed denial-of-service attacks.
In December 2020, security researchers warned attackers had started to abuse the protocol in the Citrix devices to amplify DDoS attacks (see: Citrix Warns Its ADC Products Are Being Used in DDoS Attacks).
When the amplified DDoS attacks were first disclosed, Citrix noted that these attacks affected a "limited" number of customers. And while there is no known vulnerability at this point, the company is still working on a permanent fix for its ADC and Gateway products that won't be available until later this month, according to a company alert.
The abuse of the Citrix ADC and Gateway products to amplify DDoS attacks was first noticed in December 2020 by independent security researchers as well as Marco Hofmann, an IT administrator for the German software firm ANAXCO GmbH. He found the attack targeting port UDP:443, which is used by Citrix products.
Other security researchers also noticed similar patterns starting around Dec. 21.
The security issue that the researchers found appears to affect the DTLS protocol used with these Citrix products. DTLS - a communication protocol based on the Transport Layer Security, or TLS, protocol - is designed to ensure that applications can communicate with one another without third parties eavesdropping on those communications or intercepting messages.
In most cases, DTLS uses the User Datagram Protocol, and threat actors are known to use this to spoof the IP packet datagram address, which can then quickly overwhelm the network with junk internet traffic and amplify a DDoS attack, according to a warning previously issued by the Cybersecurity and Infrastructure Security Agency.
The Citrix enhancements adds a "HelloVerifyRequest" setting in each profile that should block attackers from abusing the protocol, according to the company alert.
Citrix customers that don't use the DTLS protocol are not at risk. So they do not need to enable the enhancement or they can disable DTLS, which also stops the amplification attacks, according to the alert.
The enhancement is now available for these Citrix products:
- Citrix ADC and Citrix Gateway 13.0-71.44 and later releases;
- NetScaler ADC and NetScaler Gateway 12.1-60.19 and later releases;
- NetScaler ADC and NetScaler Gateway 11.1-65.16 and later releases.
Citrix recommends that customers who believe they have been affected by these amplified DDoS attacks check their products for unusual traffic patterns.
"To determine if a Citrix ADC or Citrix Gateway is being targeted by this attack, monitor the outbound traffic volume for any significant anomaly or spikes," Citrix says.
Government agencies and security researchers have warned over the last six months that DDoS attacks are becoming more powerful due to amplification techniques.
In July, the FBI warned that it had seen a steady increase in the number of DDoS attacks affecting U.S. organizations (see: FBI Alert Warns of Increase in Disruptive DDoS Attacks).
The FBI warned threat actors had been attempting to use built-in network protocols, which are designed to reduce overhead and operational costs, to conduct larger and more destructive DDoS attacks. This technique helps amplify the attack without using as many resources but can also create a much more disruptive cyberthreat.
CISA also issued a warning about DDoS attacks in September in response to an incident in August in which the New Zealand Stock Exchange was disrupted by a DDoS attack that stopped trading for several days (see: CISA Warns of Increased DDoS Attacks ).