Threat Advisory - DTLS Amplification Distributed Denial of Service Attack on Citrix ADC and Citrix Gateway

2020-12-23T23:57:48
ID CTX289674
Type citrix
Reporter Citrix
Modified 2021-01-11T11:24:19

Description

<section class="article-content" data-swapid="ArticleContent"> <div class="content-block" data-swapid="ContentBlock"><h2><span><b>Threat Information </b></span></h2> <p>Citrix is aware of a DDoS attack pattern impacting Citrix ADC and Citrix Gateway. As part of this attack, an attacker or bots can overwhelm the Citrix ADC DTLS network throughput, potentially leading to outbound bandwidth exhaustion. The effect of this attack appears to be more prominent on connections with limited bandwidth.</p> <p>There are no known Citrix vulnerabilities associated with this event.</p> <p>Citrix recommends administrators be cognizant of attack indicators, monitor their systems and keep their appliances up to date.<br/> </p> <h2><span><b>Attack Indicators </b></span></h2> <p>To determine if a Citrix ADC or Citrix Gateway is being targeted by this attack, monitor the outbound traffic volume for any significant anomaly or spikes.<br/> </p> <h2><span><b>Enhancements </b></span></h2> <p>Citrix has added a feature enhancement for DTLS which, when enabled, addresses the susceptibility to this attack pattern. The enhancement builds are available on the <a href="https://www.citrix.com/downloads/">Citrix downloads</a> page for the following versions: </p> <ul> <li>Citrix ADC and Citrix Gateway 13.0-71.44 and later releases</li> <li>NetScaler ADC and NetScaler Gateway 12.1-60.19 and later releases</li> <li>Citrix ADC 12.1-FIPS 12.1-55.210 and later releases</li> <li>NetScaler ADC and NetScaler Gateway 11.1-65.16 and later releases</li> </ul> <p><br/>Customers who do not use DTLS do not need to upgrade to the enhancement build. Instead, customers are recommended to disable DTLS by using the following ADC CLI command:</p> <pre> set vpn vserver <vpn_vserver_name> -dtls OFF</pre> <p><br/>Customers using DTLS are recommended to upgrade to the enhancement build and enable “HelloVerifyRequest” in each DTLS profile by using the following ADC CLI instructions: </p> <ul> <li>List all DTLS profiles by running the command:</li> </ul> <pre> show dtlsProfile </pre> <p><img alt="Inserting image..." src="https://support.citrix.com/files/public/support/article/CTX289674/images/0EM4z000002N5UQ.png"/> </p> <ul> <li> <p>For each DTLS profile, enable the “HelloVerifyRequest” setting by running the command: </p> </li> </ul> <pre> set dtlsProfile <dtls_Profile_Name> -HelloVerifyRequest ENABLED </pre> <p><img src="https://support.citrix.com/files/public/support/article/CTX289674/images/0EM4z000002N5UR.png"/> </p> <ul> <li>Save the updated configuration by running the command:</li> </ul> <pre> savec </pre> <p><img src="https://support.citrix.com/files/public/support/article/CTX289674/images/0EM4z000002N5US.png"/> </p> <ul> <li>To verify “Hello Verify Request” is enabled, run the command:</li> </ul> <pre> show dtlsProfile </pre> <p><img src="https://support.citrix.com/files/public/support/article/CTX289674/images/0EM4z000002N5UT.png"/> </p> <ul> <li> <p>If DTLS was disabled based on a previous version of this advisory, re-enable the DTLS profile by running the following command: </p> </li> </ul> <pre> set vpn vserver <vpn_vserver_name> -dtls ON </pre> <p> </p> <h2><span><b>Obtaining Support on This Issue </b></span></h2> <p>If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at <a href="http://www.citrix.com/site/ss/supportContacts.asp">http://www.citrix.com/site/ss/supportContacts.asp</a>. <a href="https://www.citrix.com/about/trust-center/vulnerability-process.html"> </a><br/> </p> <h2><span><b>Disclaimer </b></span></h2> <p>This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time. <br/> </p> <h2><span><b>Changelog</b></span></h2> <table> <tbody> <tr> <td colspan="1" rowspan="1">Date</td> <td colspan="1" rowspan="1">Change</td> </tr> <tr> <td colspan="1" rowspan="1">2020-12-23</td> <td colspan="1" rowspan="1">Initial Publication</td> </tr> <tr> <td colspan="1" rowspan="1">2021-01-04</td> <td colspan="1" rowspan="1">Enhancements Released</td> </tr> <tr> <td colspan="1" rowspan="1">2021-01-11</td> <td colspan="1" rowspan="1">Enhancements Released in 12.1-FIPS</td> </tr> </tbody> </table></div> </section>