Last week, German systems administrator Marko Hoffman noticed that hackers have found a way to use Citrix ADC network equipment with EDT enabled to amplify DDoS attacks via DTLS. Edition ZDNet referring to its own sources and writes that these attacks are mostly directed against gaming services such as Steam and Xbox.
Hoffman was able to trace the attacks back to the Datagram Transport Layer Security (DTLS) protocol, which provides secure connections for protocols using datagrams. Alas, DTLS, like other UDP-based protocols, is susceptible to spoofing, which means it can be used as a DDoS amplification vector. That is, a hacker can send small DTLS packets to a DTLS-enabled device, and the response will be returned to the victim’s address as a much larger packet.
In the past, the use of DTLS helped attackers to amplify the attack 4-5 times, but now Hoffman writes that the implementation of DTLS on the Citrix (NetScaler) Gateway gives more impressive results and helps to amplify the attack 35 times, which makes this method one of the most effective today. …
Citrix representatives have already confirmed the existence of the problem and promised to release a fix, but only after the winter holidays, that is, in mid-January 2021. At the same time, the company assures that the problem affected only “a small number of customers around the world.”
Such abuses are likely to negatively impact costs and uptime, rather than the security of client devices. The point is that when attackers abuse the problem, they can eventually run out of upstream bandwidth, thereby creating additional costs and blocking legitimate activity.
While there are no patches, it is recommended that you disable the Citrix ADC DTLS interface if not in use. If DTLS is required, it is recommended that you force the device to authenticate all incoming DTLS connections, although this may degrade performance.