Citrix Systems Abused for DDoS Attacks
New Amplification Vector Datagram Transport Layer Security (DTLS) targets Citrix ADC systems to cause outbound bandwidth exhaustion that can result in potential outages.
DDoS attacks against Citrix Application Delivery Controller (ADC) systems with Enlightened Data Transport (EDT) enabled have been increasing worldwide since late December 2020. The Link11 Security Operation Centre detected this new vector immediately via its global network and AI-based mitigation technology. Thus, Link11 continues to guarantee 100 per cent protection for all customers behind the Link11 protection platform.
Citrix systems are an integral part of today's corporate IT infrastructures, providing employees with access to corporate networks from remote working. ETD is used to improve the performance of the applications and services.
Warning from New Amplification Vector DTLS
For using EDT, the Datagram Transport Layer Security (DTLS) protocol (port 443) must be enabled. DTLS was developed to allow the transmission of encrypted data not only via secured, connection-oriented transport protocols such as TCP, but also via the connectionless UDP. It turns out to be a disadvantage that DTLS, like all UDP-based protocols, can be spoofed and that the reply packages can be significantly larger than the requests. Initial analyses assume an amplification factor of 35 for DTLS attacks. In comparison, the amplification factor for DNS amplification is between 28 and 54, and for amplification vector WS Discovery between 10 and 500.
As a result of the attacks, outgoing bandwidths may be exhausted, and the availability of ADC applications may be limited.
Amplification Attacks: Constantly Targeting New Vulnerabilities
The first reflection amplification vectors occurred in 2013 and involved DNS and NTP. Since then, the spectrum of vectors has become far greater. Currently, there are over 20 techniques, including Memcached Reflection Amplification and CLDAP. Attackers constantly identify new vulnerabilities, inadequately protected Internet services, and open services that can be misused for overload attacks. It is only a matter of time before cybercriminals discover the next long-established protocol for DDoS attacks.
Suggested Action for Administrators
At short notice, Citrix has released a feature enhancement, with which DTLS can no longer be misused as an amplification vector for DDoS attacks. Despite this, the company recommends monitoring all network traffic for anomalies and peaks and, in particular, keeping an eye on the network volume originating from Citrix ADC systems. In case of an attack on UDP port 443 in unpatched systems, DTLS can be temporarily deactivated. Detailed instructions are provided in the Citrix security alert "Threat Advisory - DTLS Amplification Distributed Denial of Service Attack on Citrix ADC and Citrix Gateway".
In addition, Link11 advises to check whether the DDoS protection solution used is in general capable of detecting new, previously unknown attack vectors and mitigating them within a few seconds. If no DDoS protection solution has been implemented yet, there is an immediate need for action due to the current DDoS threat situation.
Contact our cyber security experts today for consultation on your company's protection needs.
Stay updated on current DDoS reports, warnings, and news about IT security, cybercrime and DDoS protection.
Follow Link11 on Twitter
How to protect your business and website from DDoS attacks during the biggest sales period of the year:…
5 Retweets 6Read More
What are DDoS Attacks and how do cybercriminals use them as weapons to shut down IT infrastructures? And more impor…
7 Retweets 5Read More
This is why (and how) you should block bots on your business website (includes a list of most common bot attacks):…
13 Retweets 9Read More
What is Web Application Firewall, why do you need it and how does it protect your company? Learn more by reading ou…
3 Retweets 5Read More
@RandyLoss Hah, you weren't the only one saying that.
0 Retweets 0
@vxtrade Your company might ;)
0 Retweets 1
@deckhand25 He is not, but close enough! ;)
0 Retweets 1
What would you do if you received a 180 000€ DDoS extortion email warning to exceed your web infrastructure defense…
1 Retweets 4Read More
Get a detailed and up to date overview of the global DDoS threat landscape by taking a look at our DDoS Report from…
6 Retweets 5Read More
@SecurityParalok Link11 DDoS Protection can help!
0 Retweets 0
@QAValley Thank you for sharing, great piece. For the fastest and reliable German made DDoS Protection, get in touch!
0 Retweets 0