Attackers Exploit Citrix NetScaler Devices for Amplified DDoS Attacks

Citrix has issued an urgent warning to its clientele regarding a pressing security breach affecting its NetScaler application delivery controller (ADC) devices. The vulnerability is being exploited by malicious actors to orchestrate amplified distributed denial-of-service (DDoS) assaults against various targets across the globe.

The company stated that attackers, potentially including botnets, can flood the Citrix ADC network’s Datagram Transport Layer Security (DTLS) capacity, thereby exhausting outbound bandwidth. This problem is notably pronounced in environments with limited bandwidth resources, hindering operational capabilities.

NetScaler ADCs are specialized networking devices designed to enhance the performance, security, and availability of web-delivered applications. They play a pivotal role in optimizing user interactions with digital services.

Citrix is actively monitoring the situation and assessing its impact, noting that the attacks appear limited to a relatively small number of customers worldwide. Reports indicate that the DDoS amplification attacks targeting UDP/443 on Citrix (NetScaler) Gateway devices began surfacing around December 19, as highlighted by an IT administrator from German software firm ANAXCO GmbH, Marco Hofmann.

DTLS serves as a counterpart to the Transport Layer Security (TLS) protocol, aimed at providing secure communications while mitigating risks of eavesdropping, tampering, and data forgery. However, as DTLS employs the connectionless User Datagram Protocol (UDP), it can be vulnerable to IP packet datagram spoofing, where malicious actors disguise the source IP address with that of a target.

When the Citrix ADC is inundated with a significant volume of forged DTLS packets directed at a target’s IP address, the resultant responses create an oversaturation of bandwidth, effectively resulting in a DDoS condition. Citrix is currently enhancing the DTLS framework to address these vulnerabilities, with a patch anticipated to be released by January 12, 2021.

For organizations concerned they may be impacted by this attack, Cisco recommends monitoring outbound traffic for any unusual spikes. Until a permanent solution is implemented by Citrix, affected customers can mitigate risk by disabling DTLS, using the command “set vpn vserver -dtls OFF” on their Citrix ADC equipment.