DDoS attacks hit Citrix Application Delivery Controllers, hindering customer performance

Exterior of the Citrix Techniques headquarters in Santa Clara, California. (Citrix Programs Inc./CC BY 3.)

Citrix claimed Thursday a DDoS attack that was hitting its Citrix Software Supply Controllers (ADCs), the networking products and solutions that let security and network teams handle the shipping and delivery speed and excellent of apps to end end users.

In accordance to the Citrix danger advisory, the attacker or bots can overwhelm the Citrix ADC Datagram Transport Layer Security (DTLS) network throughput, perhaps major to outbound bandwidth exhaustion. Citrix stated businesses with limited bandwidth show up to have a more complicated time with this attack.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

As of early this morning, Citrix reported the attack has been constrained to a modest selection of customers around the globe. The seller also included that there are no known Citrix vulnerabilities affiliated with this celebration. Citrix explained if the Citrix security response workforce discovers that a products results in being susceptible to DDoS attacks since of a defect in Citrix software, information about the influenced products will be printed as a security bulletin. 

Citrix endorses that security groups keep cognizant of attack indicators and keep track of their devices. To establish if an ADC gets qualified by this attack, Citrix said security teams need to check the outbound visitors volume for any considerable anomaly or spikes. 

To remedy the situation, Citrix customers impacted by this attack can disable DTLS temporarily to prevent an attack and eliminate the susceptibility to the attack. Disabling the DTLS protocol may perhaps lead to constrained efficiency degradation to applications utilizing DTLS in a customer’s atmosphere. The extent of degradation is dependent on multiple variables. If the company’s atmosphere does not use DTLS, disabling the protocol temporarily will have no general performance effect. 

John Hammond, senior security researcher at Huntress, mentioned the the latest risk advisory from Citrix for the DDoS attack impacting Citrix ADCs leaves security professionals in a bind. Citrix said they will have an update to reduce this attack by January 12th, 2021, but Hammond pointed out this offers attackers a sizable window of option.

“While a non permanent hotfix to disable DTLS is readily available, it does make a momentary bump in site visitors and may well hinder performance,” Hammond reported. “Network house owners and security practitioners need to weigh the risk and make an appropriate selection in the context of their individual ecosystem. Regretably, this is another advisory in a extensive record of exposures the place we check out and engage in capture-up on program security. For security practitioners now, this boils down to the age-previous, experimented with-and-examined basics: assess the risk, keep an eye on the situation, stay vigilant and update when companies launch a patch.”

Jonathan Meyers, principal infrastructure engineer at Cybrary, included that original experiences demonstrate that if the purchaser had the ClientHelloVerify option turned on, it would have prevented this attack. On the other hand, Meyers reported there are reports that a bug in some variations of the software – achievable memory leak as it requires a couple hrs to come about – has caused the server to crash when enabling this alternative.

“It’s essential to notice that this really should have been on in the very first place,” Meyers mentioned. “At this place, it appears to be the only mitigation is to flip off DTLS and allow it tumble back again to TLS (DTLS is basically TLS more than UDP). Also, really do not overlook the age-outdated procedure of whitelisting IP addresses in your firewall or blacklisting large chunks of addresses, if your setup will allow for it.”

According to BleepingComputer, studies of the attack started out coming in on Dec. 21. Citrix buyers described an ongoing DDOS amplify attack around UDP/443 towards Citrix (NetScaler) Gateway products.