Attackers have been targeting Citrix ADC and Gateway appliances in recent weeks to use them as part of DDoS attacks. The attacks don’t take advantage of any flaws in the appliances, but instead uses them as amplification points.
The DDoS attacks first surfaced toward the end of December when some customers noticed a large volume of UDP traffic targeting port 443 on the appliances. The attacks specifically target appliances with the Datagram TLS (DTLS) protocol enabled.
“Citrix is aware of a DDoS attack pattern impacting Citrix ADC and Citrix Gateway. As part of this attack, an attacker or bots can overwhelm the Citrix ADC DTLS network throughput, potentially leading to outbound bandwidth exhaustion. The effect of this attack appears to be more prominent on connections with limited bandwidth.” the Citrix advisory says.
"The scope of attack is limited to a small number of customers around the world, and further, there are no known Citrix vulnerabilities associated with this event.”
DTLS is a transport-layer protocol designed to provide security for datagram applications. The attacks referenced in the Citrix advisory are affecting the Application Delivery Controller (ADC), Citrix Gateway, and NetScaler ADC and Gateway appliances.
Citrix has released some guidance for enterprises with those products deployed, encouraging customers to disable DTLS if it’s not needed. The company also released some software enhancements for the affected appliances.
“Citrix has added a feature enhancement for DTLS which, when enabled, addresses the susceptibility to this attack pattern. Customers who do not use DTLS do not need to upgrade to the enhancement build. Instead, customers are recommended to disable DTLS,” the advisory says.