Threat Advisory – DTLS Amplification Distributed Denial of Service Attack on Citrix ADC and Citrix Gateway

Threat Information

Citrix is aware of a DDoS attack pattern impacting Citrix ADC and Citrix Gateway. As part of this attack, an attacker or bots can overwhelm the Citrix ADC DTLS network throughput, potentially leading to outbound bandwidth exhaustion. The effect of this attack appears to be more prominent on connections with limited bandwidth.

There are no known Citrix vulnerabilities associated with this event.

Citrix recommends administrators be cognizant of attack indicators, monitor their systems and keep their appliances up to date.

Attack Indicators

To determine if a Citrix ADC or Citrix Gateway is being targeted by this attack when DTLS is enabled, monitor the outbound traffic volume for any significant anomaly or spikes. Other symptoms include high CPU consumption, crashes or reboots, HA failover or flaps, VPN disconnection, unreachable interfaces, and unresponsive Citrix ADC or Citrix Gateway appliances.

Enhancements

Citrix has added a feature enhancement for DTLS which, when enabled, addresses the susceptibility to this attack pattern. The enhancement builds are available on the Citrix downloads page for the following versions:

  • Citrix ADC and Citrix Gateway 13.0-71.44 and later releases
  • NetScaler ADC and NetScaler Gateway 12.1-60.19 and later releases
  • Citrix ADC 12.1-FIPS 12.1-55.210 and later releases
  • NetScaler ADC and NetScaler Gateway 11.1-65.16 and later releases


Customers who do not use DTLS do not need to upgrade to the enhancement build. Instead, customers are recommended to disable DTLS by using the following ADC CLI command:

set vpn vserver <vpn_vserver_name> -dtls OFF


Customers using DTLS are recommended to upgrade to the enhancement build and enable “HelloVerifyRequest” in each DTLS profile by using the following ADC CLI instructions:

  • List all DTLS profiles by running the command:
show dtlsProfile 

Inserting image...

  • For each DTLS profile, enable the “HelloVerifyRequest” setting by running the command:

set dtlsProfile <dtls_Profile_Name> -HelloVerifyRequest ENABLED

  • Save the updated configuration by running the command:
savec 

  • To verify “Hello Verify Request” is enabled, run the command:
show dtlsProfile

  • If DTLS was disabled based on a previous version of this advisory, re-enable the DTLS profile by running the following command:

set vpn vserver <vpn_vserver_name> -dtls ON

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at http://www.citrix.com/site/ss/supportContacts.asp.

Disclaimer

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time.

Changelog

Date Change
2020-12-23 Initial Publication
2021-01-04 Enhancements Released
2021-01-11 Enhancements Released in 12.1-FIPS
2021-05-06 Attack Indicators Updated

Related:

  • No Related Posts

Leave a Reply