Citrix Systems Abused for DDoS Attacks
New Amplification Vector Datagram Transport Layer Security (DTLS) targets Citrix ADC systems to cause outbound bandwidth exhaustion that can result in potential outages.
DDoS attacks against Citrix Application Delivery Controller (ADC) systems with Enlightened Data Transport (EDT) enabled have been increasing worldwide since late December 2020. The Link11 Security Operation Centre detected this new vector immediately via its global network and AI-based mitigation technology. Thus, Link11 continues to guarantee 100 per cent protection for all customers behind the Link11 protection platform.
Citrix systems are an integral part of today's corporate IT infrastructures, providing employees with access to corporate networks from remote working. ETD is used to improve the performance of the applications and services.
Warning from New Amplification Vector DTLS
For using EDT, the Datagram Transport Layer Security (DTLS) protocol (port 443) must be enabled. DTLS was developed to allow the transmission of encrypted data not only via secured, connection-oriented transport protocols such as TCP, but also via the connectionless UDP. It turns out to be a disadvantage that DTLS, like all UDP-based protocols, can be spoofed and that the reply packages can be significantly larger than the requests. Initial analyses assume an amplification factor of 35 for DTLS attacks. In comparison, the amplification factor for DNS amplification is between 28 and 54, and for amplification vector WS Discovery between 10 and 500.
As a result of the attacks, outgoing bandwidths may be exhausted, and the availability of ADC applications may be limited.
Amplification Attacks: Constantly Targeting New Vulnerabilities
The first reflection amplification vectors occurred in 2013 and involved DNS and NTP. Since then, the spectrum of vectors has become far greater. Currently, there are over 20 techniques, including Memcached Reflection Amplification and CLDAP. Attackers constantly identify new vulnerabilities, inadequately protected Internet services, and open services that can be misused for overload attacks. It is only a matter of time before cybercriminals discover the next long-established protocol for DDoS attacks.
Suggested Action for Administrators
At short notice, Citrix has released a feature enhancement, with which DTLS can no longer be misused as an amplification vector for DDoS attacks. Despite this, the company recommends monitoring all network traffic for anomalies and peaks and, in particular, keeping an eye on the network volume originating from Citrix ADC systems. In case of an attack on UDP port 443 in unpatched systems, DTLS can be temporarily deactivated. Detailed instructions are provided in the Citrix security alert "Threat Advisory - DTLS Amplification Distributed Denial of Service Attack on Citrix ADC and Citrix Gateway".
In addition, Link11 advises to check whether the DDoS protection solution used is in general capable of detecting new, previously unknown attack vectors and mitigating them within a few seconds. If no DDoS protection solution has been implemented yet, there is an immediate need for action due to the current DDoS threat situation.
Contact our cyber security experts today for consultation on your company's protection needs.
Stay updated on current DDoS reports, warnings, and news about IT security, cybercrime and DDoS protection.
Follow Link11 on Twitter
❗ ️Warning: New wave of ransom DDoS attacks by Fancy Lazarus! Are you also affected? Don't worry, there are things…
3 Retweets 3Read More
Electronic Arts has suffered a big data breach resulting in hackers getting away with important source code for gam…
1 Retweets 1Read More
https://t.co/HqsAkp4Wk2 Are you passionate/curious about cybersecurity? Subscribe to our monthly Newsletter and sta…
7 Retweets 4Read More
Proven and robust cyber security can have a positive impact on a company's credit rating - or damage it if the impl…
2 Retweets 2Read More
DDoS attacks are no longer just more persistent and larger, but also significantly more complex. Without proven IT…
10 Retweets 4Read More
Mexico closes lottery websites to people from abroad due to ransomware DDoS threats: Even…
8 Retweets 3Read More
National security expert warns of cyberattacks on Australia's critical infrastructure and expects threat to be "imm…
3 Retweets 0Read More
According to current figures, around 500,000 employees are being sought in the field of cyber security in the US:…
3 Retweets 2Read More
The German BKA has published the Cybercrime Report 2020: ➡️ In 2020, 108,474 cyber-crime cases were recorded by the…
2 Retweets 2Read More