Citrix Adds NetScaler ADC Setting To Block Recent DDoS Attacks

Citrix has released a feature enhancement designed to block attackers from using the Datagram Transport Layer Security (DTLS) feature of Citrix ADC and Gateway devices as an amplification vector in DDoS attacks.

DTLS is a UDP-based version of the Transport Layer Security (TLS) protocol utilized to secure and to prevent eavesdropping and tampering in delay-sensitive apps and services.

According to reports that have surfaced starting with December 21st, 2020, a DDOS attack used DTLS to amplify traffic from susceptible Citrix ADC devices dozens of times.

“As part of this attack, an attacker or bots can overwhelm the Citrix ADC DTLS network throughput, potentially leading to outbound bandwidth exhaustion,” the company said in an advisory published on December 24th.

“The effect of this attack appears to be more prominent on connections with limited bandwidth.”

Fix now available

Citrix has now released a feature enhancement to remove the amplification vector on NetScaler ADC devices with Enlightened Data Transport UDP Protocol (EDT) enabled.

The company’s newly released DTLS feature enhancement adds a “HelloVerifyRequest” setting that will address the susceptibility to this attack vector and will block attempts made by attackers to abuse them in future DDoS attacks.

Also Read: Data Centre Regulations Singapore: Does It Help To Progress?

The new builds with DTLS enhancement are available on the Citrix downloads page for the following ADC and Gateway versions:

• Citrix ADC and Citrix Gateway 13.0-71.44 and later releases
• NetScaler ADC and NetScaler Gateway 12.1-60.19 and later releases
• NetScaler ADC and NetScaler Gateway 11.1-65.16 and later releases

Citrix advises customers who use DTLS to upgrade their software and enable the “HelloVerifyRequest” setting in each DTLS profile using these instructions:

• List all DTLS profiles by running the command: show dtlsProfile
• For each DTLS profile, enable the “HelloVerifyRequest” setting by running the command: set dtlsProfile -HelloVerifyRequest ENABLED
• Save the updated configuration by running the command: savec
• To verify “Hello Verify Request” is enabled, run the command: show dtlsProfile 

If DTLS was disabled based on a previous version of this advisory, re-enable the DTLS profile by running following command: set vpn vserver -dtls ON.

Temporary mitigation

Impacted customers who cannot immediately install these new builds can also temporarily remove the amplification vector by temporarily disabling DTLS.

To disable DTLS on affected Citrix devices you will have to issue the following command: set vpn vserver -dtls OFF.

“Disabling the DTLS protocol may lead to limited performance degradation to real time applications using DTLS in your environment,” Citrix said.

“The extent of degradation depends on multiple variables. If your environment does not use DTLS, disabling the protocol temporarily will have no performance impact.”

Also Read: What Is A Governance Framework? The Importance And How It Works

While the scope of these DDoS attacks is limited to only a small number of Citrix customers, the company recommends admins to monitor their systems and always keep their appliances up to date.