Posted on December 27, 2020 at 5:23 PM
Attackers are Abusing Citrix Devices To Launch DDoS Attacks
Desktop virtualization provider Citrix has announced that there is a security issue affecting the company’s Netscaler application delivery controller (ADC). According to the advisory, attackers are abusing the device to carry out enhanced denial of service (DDoS) attacks against several targets.
The statement by the company revealed that an attacker may overwhelm the Citrix ADC network, which can lead to outbound bandwidth exhaustion.
However, connections with limited bandwidth appear to suffer more in the attack, the company explained further.
ADC’s are designed to improve the availability, security, and performance of applications send over the web to end-users.
Citrix said it is monitoring the situation and investigating the impact on Citrix ADC. The firm also added that the attack does not affect all connections, as it is only limited to a small fraction of its clients and users around the world.
The company discovered the incident on December 19 when it discovered multiple amplified DDoS attacks on UDP/443 against Citrix Gateway devices
Although details about the hackers are not yet known, the targets of the exploits include online gaming services like Xbox and Steam, according to a close source to the incident.
Hackers are overwhelming the DTLS network
Marco Hofmann, a German IT systems administrator, first discovered the first phase of the attack last week. He proceeded to track the incidents to the DTLS interface on Citrix ADC devices.
DTLS uses the Transport Layer Security (TLS) protocol, which provides secure communication to prevent message forgery, tampering, or eavesdropping.
And with the use of the connectionless UDP, threat actors can have it easy when spoofing IP package datagram and adding a random source IP address.
When there is an overwhelming influx of DTLS packets on the Citrix ADC, the attacker can forge the source IP address into the victim’s IP address. This could cause the bandwidth to be oversaturated, leading to a DDoS situation.
But Citrix said it’s presently working on the issue to remove any vulnerability to the attack. The company said a patch is expected in January next year.
Cisco issued an advisory to enable users to find out if an attacker is targeting a Citrix ADC equipment. According to the software giant, users should look out for the outbound traffic volume for any unusual spikes or anomaly on the server.
However, customers who have already been affected by the attack are advised to disable the DTLS by running the “set VPN vserver <vpn_vserver_name> -dtls OFF.” Command on the Citrix ADC until a permanent fix is done by the company.
The DTLS is the less reliable version of the TLS protocol, unlike the more reliable TCP protocol that is more difficult to compromise or abuse
Like other protocols based on UDP, the DTLS protocol is not security proof, as it’s spoofable and utilized as a DDoS application vector.
This means that threat actors can send multiple amounts of tiny DTLS packets to the DTLS-based device and return the results in larger packets to an IP address that has been attacked. The protocol’s amplification factor determines how to enlarge the packet will be. For previous DTLS-centered DDoS attacks, the application factor was generally 5 times the sent packet.
ADC attack is very critical for administrators
The DDoS attack is considered very critical for IT administrators when it comes to uptime and overall cost rather than their devices’ security.
When the attackers are abusing the Citrix ADC device, they might exhaust the upstream bandwidth, which leads to extra costs and the prevention of genuine activities from the ADC.
After several reports emerged from security researchers about the issue, Citrix confirmed the report with a promise to issue a patch as soon as possible.
Citrix ADC has also advised users who are affected by the DDoS incident to quickly disable DTLS to prevent further harm to their systems. However, the company has warned that such action may result in a fallback, a short freeze, or limited performance degradation.
These are minor issues compared to the risk of exposing their systems to attackers, Citrix reiterated, adding that a fix in January will correct everything.
But Citrix has advised that the safest thing to do is to disable UDP completely until the January fix.