Attackers who abuse Citrix NetScaler devices to launch amplified DDoS attacks

Citrix has issued an emergency alert alerting its customers to a security issue affecting its NetScaler Application Delivery Controller (ADC) devices that attackers are abusing to launch DDoS (DDoS) attacks different goals.

“An attacker or bot can overwhelm Citrix ADC [Datagram Transport Layer Security] network throughput, potentially leading to exhaustion of outbound bandwidth, “the company noted.” The effect of this attack seems to be most evident on connections with limited bandwidth. “

ADCs are purpose-built network appliances whose function is to improve the performance, security, and availability of applications delivered over the web to end users.

The desktop virtualization and networking service provider said it is monitoring the incident and continuing to investigate its impact on Citrix ADC, adding that “the attack is limited to a small number of customers worldwide.”

The problem has emerged after multiple reports of an amplified DDoS attack on UDP / 443 against Citrix (NetScaler) Gateway devices since at least December 19, according to Marco Hofmann, IT administrator of a German software company ANAXCO GmbH.

Citrix ADC DDoS attack

Datagram Transport Layer Security or DTLS is based on the Transport Layer Security (TLS) protocol which aims to provide secure communications in a way designed to prevent message interception, tampering or falsification.

Because DTLS uses connectionless User Datagram Protocol (UDP), it is easy for an attacker to spoof an IP packet datagram and include an arbitrary source IP address.

Therefore, when the Citrix ADC is flooded with an overwhelming stream of DTLS packets whose source IP addresses are forged into a victim’s IP address, the aroused responses lead to excessive bandwidth saturation, creating a DDoS condition.

Citrix NetScaler devices

Citrix is ​​currently working on improving DTLS to eliminate susceptibility to this attack, with a patch expected to be released on January 12, 2021.

To determine if a Citrix ADC device is targeted by the attack, Cisco recommends keeping an eye on the volume of outbound traffic for any anomalies or significant spikes.

Customers affected by the attack, meanwhile, can disable DTLS while waiting for a permanent fix from Citrix by running the following command on the Citrix ADC: “set vpn vserver -dtls OFF. “