Citrix Systems Abused for DDoS Attacks

  • Fabian Sinner
  • January 5, 2021

Table of content

    Citrix Systems Abused for DDoS Attacks

    New Amplification Vector Datagram Transport Layer Security (DTLS) targets Citrix ADC systems to cause outbound bandwidth exhaustion that can result in potential outages.

    DDoS attacks against Citrix Application Delivery Controller (ADC) systems with Enlightened Data Transport (EDT) enabled have been increasing worldwide since late December 2020. The Link11 Security Operation Centre detected this new vector immediately via its global network and AI-based mitigation technology. Thus, Link11 continues to guarantee 100 per cent protection for all customers behind the Link11 protection platform.

    Citrix systems are an integral part of today’s corporate IT infrastructures, providing employees with access to corporate networks from remote working. ETD is used to improve the performance of the applications and services.

    Warning from New Amplification Vector DTLS

    For using EDT, the Datagram Transport Layer Security (DTLS) protocol (port 443) must be enabled. DTLS was developed to allow the transmission of encrypted data not only via secured, connection-oriented transport protocols such as TCP, but also via the connectionless UDP. It turns out to be a disadvantage that DTLS, like all UDP-based protocols, can be spoofed and that the reply packages can be significantly larger than the requests. Initial analyses assume an amplification factor of 35 for DTLS attacks. In comparison, the amplification factor for DNS amplification is between 28 and 54, and for amplification vector WS Discovery between 10 and 500.

    As a result of the attacks, outgoing bandwidths may be exhausted, and the availability of ADC applications may be limited.

    Amplification Attacks: Constantly Targeting New Vulnerabilities

    The first reflection amplification vectors occurred in 2013 and involved DNS and NTP. Since then, the spectrum of vectors has become far greater. Currently, there are over 20 techniques, including Memcached Reflection Amplification and CLDAP. Attackers constantly identify new vulnerabilities, inadequately protected Internet services, and open services that can be misused for overload attacks. It is only a matter of time before cybercriminals discover the next long-established protocol for DDoS attacks.

    Suggested Action for Administrators

    At short notice, Citrix has released a feature enhancement, with which DTLS can no longer be misused as an amplification vector for DDoS attacks. Despite this, the company recommends monitoring all network traffic for anomalies and peaks and, in particular, keeping an eye on the network volume originating from Citrix ADC systems. In case of an attack on UDP port 443 in unpatched systems, DTLS can be temporarily deactivated. Detailed instructions are provided in the Citrix security alert “Threat Advisory – DTLS Amplification Distributed Denial of Service Attack on Citrix ADC and Citrix Gateway”.

    In addition, Link11 advises to check whether the DDoS protection solution used is in general capable of detecting new, previously unknown attack vectors and mitigating them within a few seconds. If no DDoS protection solution has been implemented yet, there is an immediate need for action due to the current DDoS threat situation.

    Contact our cyber security experts today for consultation on your company’s protection needs.

    Contact us now

    DDoS Attacks in the Second Quarter of 2019: Increasing Attack Bandwidths
    Infra/STRUCTURE – 04. – 05.10.2023 Toronto, Canada