Beginning on December 19, Citrix customers experienced multiple amplified DDoS attacks on UDP/443 via Citrix application delivery controller (ADC) and Gateway devices. Citrix quickly discovered that these attacks were due to a vulnerability in the Datagram Transport Layer Security (DTLS) feature of those devices, which attackers used as an amplification vector. DTLS is a UDP-based version of the Transport Layer Security (TLS) protocol utilized to secure and to prevent eavesdropping and tampering in delay-sensitive apps and services.
On December 23, Citrix support reported the following:
“Citrix is aware of a DDoS attack pattern impacting Citrix ADC and Citrix Gateway. As part of this attack, an attacker or bots can overwhelm the Citrix ADC DTLS network throughput, potentially leading to outbound bandwidth exhaustion. The effect of this attack appears to be more prominent on connections with limited bandwidth.”
These DDoS attacks create two types of victims: 1) the organizations who are directly targeted by the DDoS attack, and 2) the corporations who may have suffered bandwidth exhaustion because they have Citrix ADC devices that were used as reflectors/amplifiers. On December 24, ZDNet reported, “While details about the attackers are still unknown, victims of these Citrix-based DDoS attacks mostly included online gaming services, such as Steam and Xbox, sources have told ZDNet earlier today.”
Fortunately, Citrix promptly addressed this vulnerability; on January 4, the company’s support team issued a DTLS feature enhancement to its ADC (NetScaler) Firmware which, when enabled, addresses the susceptibility to this attack pattern. Although Citrix says the vulnerability affects a small number of organizations, they recommend that administrators keep their devices up to date (the feature enhancement can be downloaded here).
Protect your organization from other susceptible vectors
This recent Citrix vulnerability exploit is another example that hackers continue to research new ways to conduct DDoS attacks, and that these are increasing in sophistication. Kudos to Citrix, it’s also an example of a new vector that was quickly addressed, like the Memcached vector in 2018, where the number of available servers to exploit was quickly reduced to a level where it was of no value to the DDoS attackers.
However, there are still plenty of other vectors openly available for cybercriminals to effectively exploit, when launching damaging DDoS attacks. Since threat actors are adept at finding and eager to exploit new vulnerabilities to launch further attacks, organizations must be prepared. Not all DDoS mitigation solutions are adept at handling fast changing, multi-vector DDoS attacks: legacy solutions often fail to detect smaller attacks, or require human intervention, which introduces further delays in the time to mitigation. To immediately and effectively defend against attacks that leverage vulnerabilities, organizations must have automated, real-time DDoS protection in place.
Corero Network Security is a global leader in real-time, high-performance, automatic DDoS defense solutions. Corero’s industry leading SmartWall and SecureWatch technology protects on-premise, cloud, virtual and hybrid environments with a scalable solution that delivers a more cost-effective economic model than ever before.For more on Corero’s flexible deployment models, click here. If you’d like to learn more, please contact us.