DDoS Protection
,
Governance & Risk Management
,
IT Risk Management
Firm Says Enhancement Will Block Attackers From Abusing DTLS

Citrix is urging clients to implement a newly supplied enhancement to its ADC and Gateway gadgets that’s designed to dam attackers from abusing the Datagram Transport Layer Safety, or DTLS, protocol to amplify distributed denial-of-service assaults.
In December, safety researchers warned attackers had began to abuse the protocol within the Citrix gadgets to amplify DDoS assaults (see: Citrix Warns Its ADC Products Are Being Used in DDoS Attacks).
See Additionally: The Ultimate Checklist for Identifying the Right Security Vendor
When the amplified DDoS assaults had been first disclosed, Citrix famous that these assaults affected a “restricted” variety of clients. And whereas there isn’t any recognized vulnerability at this level, the corporate continues to be engaged on a everlasting repair for its ADC and Gateway merchandise that will not be obtainable till later this month, in line with an organization alert.
The abuse of the Citrix ADC and Gateway merchandise to amplify DDoS assaults was first observed in December by impartial safety researchers in addition to Marco Hofmann, an IT administrator for the German software program agency ANAXCO GmbH. He discovered the assault focusing on port UDP:443, which is utilized by Citrix merchandise.
Different safety researchers additionally observed comparable patterns beginning round Dec. 21.
Enhancements
The safety challenge that the researchers discovered seems to have an effect on the DTLS protocol used with these Citrix merchandise. DTLS – a communication protocol primarily based on the Transport Layer Safety, or TLS, protocol – is designed to make sure that functions can talk with each other with out third events eavesdropping on these communications or intercepting messages.
Usually, DTLS makes use of the Consumer Datagram Protocol, and menace actors are recognized to make use of this to spoof the IP packet datagram deal with, which might then rapidly overwhelm the community with junk web site visitors and amplify a DDoS assault, in line with a warning beforehand issued by the Cybersecurity and Infrastructure Security Agency.
The Citrix enhancements provides a “HelloVerifyRequest” setting in every profile that ought to block attackers from abusing the protocol, in line with the corporate alert.
Citrix clients that do not use the DTLS protocol will not be in danger. So they don’t must allow the enhancement or they’ll disable DTLS, which additionally stops the amplification assaults, in line with the alert.
The enhancement is now obtainable for these Citrix merchandise:
- Citrix ADC and Citrix Gateway 13.0-71.44 and later releases;
- NetScaler ADC and NetScaler Gateway 12.1-60.19 and later releases;
- NetScaler ADC and NetScaler Gateway 11.1-65.16 and later releases.
Citrix recommends that clients who imagine they’ve been affected by these amplified DDoS assaults examine their merchandise for uncommon site visitors patterns.
“To find out if a Citrix ADC or Citrix Gateway is being focused by this assault, monitor the outbound site visitors quantity for any vital anomaly or spikes,” Citrix says.
DDoS Amplification
Authorities companies and safety researchers have warned during the last six months that DDoS assaults have gotten extra highly effective as a result of amplification methods.
In July, the FBI warned that it had seen a gradual improve within the variety of DDoS assaults affecting U.S. organizations (see: FBI Alert Warns of Increase in Disruptive DDoS Attacks).
The FBI warned menace actors had been trying to make use of built-in community protocols, that are designed to scale back overhead and operational prices, to conduct bigger and extra damaging DDoS assaults. This method helps amplify the assault with out utilizing as many assets however can even create a way more disruptive cyberthreat.
CISA additionally issued a warning about DDoS assaults in September in response to an incident in August by which the New Zealand Inventory Change was disrupted by a DDoS assault that stopped buying and selling for a number of days (see: CISA Warns of Increased DDoS Attacks ).