The threat actors are using the Datagram Transport Layer Security (DTLS) protocol as an amplification vector in attacks against Citrix appliances with EDT enabled.
The DTLS protocol is a communications protocol for securing delay-sensitive apps and services that use datagram transport.
Datagram Transport Layer Security (DTLS) is a communications protocol that provides security for datagram-based applications by allowing them to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees.
Most of the victims of these attacks are in the gaming industry.
The attacks began last week, the systems administrator Marco Hofmann first detailed them.
“Since 19 December 2020 7pm CET we see a possible worldwide DDOS amplify attack against Citrix Gateway UDP:443 DTLS EDT services.” wrote Hofmann.
Hofmann determined the involvement of the DTLS protocol, which is spoofable allowing the amplification of malicious traffic of DDoS attacks.
The amplification factor DTLS-based DDoS attacks was known to be 4 or 5 times the original packet, but Hofmann discovered that the DTLS implementation on Citrix ADC devices allows attackers to achieve a 36 amplification factor.
“Citrix is aware of a DDoS attack pattern impacting Citrix ADCs. As part of this attack, an attacker or bots can overwhelm the Citrix ADC DTLS network throughput, potentially leading to outbound bandwidth exhaustion. The effect of this attack appears to be more prominent on connections with limited bandwidth.” reads the advisory published by Citrix. “At this time, the scope of attack is limited to a small number of customers around the world, and further, there are no known Citrix vulnerabilities associated with this event.”
Citrix plans to address the issue with the release of a security update in January 2020.
To mitigate these attacks admins could disable the Citrix ADC DTLS interface if not needed. In case the DTLS interface could not be disabled it is possible to force the device to authenticate incoming DTLS connections. This latter case could have an impact on the performance of the devices.
To disable DTLS on a ADC equipment admins could issue the following command from the command line interface:
set vpn vserver -dtls OFF
“Disabling the DTLS protocol may lead to limited performance degradation to real time applications using DTLS in your environment,” the company added.
“The extent of degradation depends on multiple variables. If your environment does not use DTLS, disabling the protocol temporarily will have no performance impact.”
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, DDoS)