Citrix released a report on December 23rd that details Distributed Denial of Service (DDoS) attacks against Citrix Application Delivery Controller (ADC) servers, reported by several companies and described by Bleeping Computer. According to the advisory, all ADC servers that have “Enlightened Data Transport” (EDT) UDP protocol enabled are susceptible to the attack, which overwhelms the network throughput of the server’s Datagram Transport Layer Security (DTLS) service over UDP port 443. At present, Citrix does not believe that there is any security flaw that would allow unauthorized users to take control of the ADC servers, but that aspects of the DTLS implementation allow for an amplification of network traffic, in which the attacker only has to send a small number of bytes over the network to cause the server to send a much larger reply. Citrix is working on an update to ADC servers that will remove the susceptibility to this type of attack.
Analyst Notes
Although the current attacks are only targeting a few Citrix customers, it is likely that attackers will expand targeting to more ADC servers easily until the update has been made available by Citrix and applied by ADC server administrators. In the meantime, the effects of this attack can be mitigated by disabling DTLS using the command line interface to issue the command: “set vpn vserver -dtls OFF”.
Bleeping Computer article: https://www.bleepingcomputer.com/news/security/citrix-confirms-ongoing-ddos-attack-impacting-netscaler-adcs/
