Citrix Devices Are Being Abused As DDoS Attack Vectors

Threat actors have discovered a way to bounce and amplify junk web traffic against Citrix ADC networking equipment to launch DDoS attacks.

While details about the attackers are still unknown, victims of these Citrix-based DDoS attacks have mostly included online gaming services, such as Steam and Xbox, sources have told ZDNet earlier today.

The first of these attacks have been detected last week and documented by German IT systems administrator Marco Hofmann.

Hofmann tracked the issue to the DTLS interface on Citrix ADC devices.

DTLS, or Datagram Transport Layer Security, is a more version of the TLS protocol implemented on the stream-friendly UDP transfer protocol, rather than the more reliable TCP.

Just like all UDP-based protocols, DTLS is spoofable and can be used as a DDoS amplification vector.

What this means is that attackers can send small DTLS packets to the DTLS-capable device and have the result returned in a many times larger packet to a spoofed IP address (the DDoS attack victim).

How many times the original packet is enlarged determines the amplification factor of a specific protocol. For past DTLS-based DDoS attacks, the amplification factor was usually 4 or 5 times the original packet.

But, on Monday, Hofmann reported that the DTLS implementation on Citrix ADC devices appears to be yielding a whopping 35, making it one of the most potent DDoS amplification vectors.

Citrix confirms issue

Earlier today, after several reports, Citrix has also confirmed the issue and promised to release a fix after the winter holidays, in mid-January 2020.

The company said it's seen the DDoS attack vector being abused against "a small number of customers around the world."

The issue is considered dangerous for IT administrators, for costs and uptime-related issues rather than the security of their devices.

As attackers abuse a Citrix ADC device, they might end up exhausting its upstream bandwidth, creating additional costs and blocking legitimate activity from the ADC.

Until Citrix readies officials mitigations, two temporary fixes have emerged.

The first is to disable the Citrix ADC DTLS interface if not used. 

If the DTLS interface is needed, forcing the device to authenticate incoming DTLS connections is recommended, although it may degrade the device's performance as a result.