Citrix devices are being abused as DDoS attack vectors


Citrix says it’s working on a fix, expected next year.

Threat actors have discovered how to bounce and amplify junk web traffic against Citrix ADC networking equipment to launch DDoS attacks.

While details about the attackers are still unknown, victims of those Citrix-based DDoS attacks have mostly included online gaming services, like Steam and Xbox, sources have told earlier today.

The first of those attacks are detected last week and documented by German IT systems administrator Marco Hofmann.

Hofmann tracked the difficulty to the DTLS interface on Citrix ADC devices.
DTLS, or Datagram Transport Layer Security, is a more version of the TLS protocol implemented on the stream-friendly UDP transfer protocol, rather than the more reliable TCP.

Just like all UDP-based protocols, DTLS is spoofable and may be used as a DDoS amplification vector.

What this suggests is that attackers can send small DTLS packets to the DTLS-capable device and have the result returned during a repeatedly larger packet to a spoofed IP address (the DDoS attack victim).

How many times the first packet is enlarged determines the amplification factor of a selected protocol. For past DTLS-based DDoS attacks, the amplification factor was usually 4 or 5 times the first packet.

But, on Monday, Hofmann reported that the DTLS implementation on Citrix ADC devices appears to be yielding a whopping 35, making it one among the foremost potent DDoS amplification vectors.


Earlier today, after several reports, Citrix has also confirmed the issue and promised to release a fix after the winter holidays, in mid-January 2021.
The company said it’s seen the DDoS attack vector being abused against “a small number of consumers round the world.”

The issue is taken into account dangerous for IT administrators, for costs and uptime-related issues instead of the safety of their devices.

As attackers abuse a Citrix ADC device, they could find yourself exhausting its upstream bandwidth, creating additional costs and blocking legitimate activity from the ADC.
Until Citrix readies officials mitigations, two temporary fixes have emerged.

The first is to disable the Citrix ADC DTLS interface if not used.


Please enter your comment!
Please enter your name here