Citrix reported Thursday a DDoS attack was hitting its Citrix Application Delivery Controllers (ADCs), the networking products that let security and network teams manage the delivery speed and quality of applications to end users.
According to the Citrix threat advisory, the attacker or bots can overwhelm the Citrix ADC Datagram Transport Layer Security (DTLS) network throughput, potentially leading to outbound bandwidth exhaustion. Citrix said organizations with limited bandwidth appear to have a more difficult time with this attack.
As of early this morning, Citrix said the attack has been limited to a small number of customers around the world. The vendor also added that there are no known Citrix vulnerabilities associated with this event. Citrix said if the Citrix security response team discovers that a product becomes vulnerable to DDoS attacks because of a defect in Citrix software, information about the affected products will be published as a security bulletin.
Citrix recommends that security teams stay cognizant of attack indicators and monitor their systems. To determine if an ADC gets targeted by this attack, Citrix said security teams should monitor the outbound traffic volume for any significant anomaly or spikes.
To remedy the situation, Citrix customers impacted by this attack can disable DTLS temporarily to stop an attack and eliminate the susceptibility to the attack. Disabling the DTLS protocol may lead to limited performance degradation to applications using DTLS in a customer’s environment. The extent of degradation depends on multiple variables. If the company’s environment does not use DTLS, disabling the protocol temporarily will have no performance impact.
John Hammond, senior security researcher at Huntress, said the recent threat advisory from Citrix for the DDoS attack impacting Citrix ADCs leaves security pros in a bind. Citrix said they will have an update to prevent this attack by January 12th, 2021, but Hammond pointed out this gives attackers a sizable window of opportunity.
“While a temporary hotfix to disable DTLS is available, it does create a momentary bump in traffic and may hinder performance,” Hammond said. “Network owners and security practitioners need to weigh the risk and make an appropriate decision in the context of their own environment. Unfortunately, this is another advisory in a long list of exposures where we try and play catch-up on software security. For security practitioners today, this boils down to the age-old, tried-and-tested basics: evaluate the risk, monitor the situation, stay vigilant and update when manufacturers release a patch.”
Jonathan Meyers, principal infrastructure engineer at Cybrary, added that initial reports show that if the customer had the ClientHelloVerify option turned on, it would have prevented this attack. However, Meyers said there are reports that a bug in some versions of the software – possible memory leak as it takes a few hours to happen – has caused the server to crash when enabling this option.
“It’s important to note that this should have been on in the first place,” Meyers said. “At this point, it seems the only mitigation is to turn off DTLS and let it fall back to TLS (DTLS is essentially TLS over UDP). Additionally, don't forget the age-old technique of whitelisting IP addresses in your firewall or blacklisting large chunks of addresses, if your setup allows for it.”
According to BleepingComputer, reports of the attack started coming in on Dec. 21. Citrix customers reported an ongoing DDOS amplify attack over UDP/443 against Citrix (NetScaler) Gateway devices.