Threat participants have discovered a way to bounce and amplify spam web traffic against Citrix ADC network devices to launch DDoS attacks.
Sources told ZDNet earlier today that although details about the attackers are still unknown, the victims of these Citrix-based DDoS attacks mainly include online gaming services such as Steam and Xbox.
The first of these attacks was discovered last week and was documented by Marco Hofmann, a German IT system administrator.
Hofmann traced this issue to the DTLS interface on the Citrix ADC device.
DTLS (or Datagram Transport Layer Security) is a higher version of the TLS protocol implemented on the stream-friendly UDP transport protocol, rather than the more reliable TCP.
Like all UDP-based protocols, DTLS is spoofable and can be used as a DDoS amplification vector.
This means that an attacker can send small DTLS packets to a DTLS-capable device and return the result to the spoofed IP address (DDoS attack victim) in the form of a much larger packet.
How many times the original data packet is magnified determines the magnification of a particular protocol. For DDoS attacks based on DTLS in the past, the amplification factor is usually 4 or 5 times that of the original data packet.
However, on Monday, Hofmann reported that the implementation of DTLS on Citrix ADC devices appeared to produce a staggering 35, making it one of the most powerful DDoS amplification vectors.
Citrix confirms the problem
Earlier today, after receiving several reports, Citrix also confirmed this issue and promised to release a fix after the winter break in mid-January 2020.
The company said it has seen DDoS attack vectors being abused by “a few customers around the world.”
For IT administrators, this issue is seen as a danger because of issues related to cost and uptime, rather than the security of their equipment.
As attackers abuse Citrix ADC equipment, they may eventually exhaust their upstream bandwidth, thereby increasing costs and preventing ADCs from performing legitimate activities.
Before Citrix was ready to mitigate the influence of officials, there were two temporary fixes.
The first is to disable the Citrix ADC DTLS interface (if not used).
If a DTLS interface is required, it is recommended to force the device to authenticate the incoming DTLS connection, although this may reduce the performance of the device.