Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Network Networking Security IT

Citrix Devices Are Being Abused as DDoS Attack Vectors (zdnet.com) 17

Threat actors have discovered a way to bounce and amplify junk web traffic against Citrix ADC networking equipment to launch DDoS attacks. From a report: While details about the attackers are still unknown, victims of these Citrix-based DDoS attacks have mostly included online gaming services, such as Steam and Xbox, sources have told ZDNet earlier today. The first of these attacks have been detected last week and documented by German IT systems administrator Marco Hofmann. Hofmann tracked the issue to the DTLS interface on Citrix ADC devices. DTLS, or Datagram Transport Layer Security, is a more version of the TLS protocol implemented on the stream-friendly UDP transfer protocol, rather than the more reliable TCP. Just like all UDP-based protocols, DTLS is spoofable and can be used as a DDoS amplification vector.
This discussion has been archived. No new comments can be posted.

Citrix Devices Are Being Abused as DDoS Attack Vectors

Comments Filter:
  • Guess 2021 is going to be a bad year for our digital lives.

  • by Anonymous Coward on Friday December 25, 2020 @02:33PM (#60865572)

    Even though it's UDP, the client should *always* have to send more data to begin with to the server which *always* should return smaller replies during session setup.

    This should include padding with nulls '0's or whatever floats your boat and the server should check that the client has sent an 'abundant' amount of data for it to send it's smaller reply.

    Once authenticated and whatever then you can go back to business as usual with 'ratelimiting'.

    That should sort out amplification attacks easily enough.

    • Even though it's UDP, the client should *always* have to send more data to begin with to the server which *always* should return smaller replies during session setup.

      DTLS provides a similar mechanism during session setup that TCP offers to prevent one-sided spoofing. You don't even have to be careful about how you design your protocol.

      You just have to have the minimum competence necessary to use a feature already provided to you by your TLS stack.

  • DTLS is a more version of the TLS protocol

    Maybe it's because english is not my primary language, or maybe it's the coffee that hasn't kicked in yet, but "a more version" sounds like nonsense.

  • by WaffleMonster ( 969671 ) on Friday December 25, 2020 @11:34PM (#60866324)

    It's brain-damaged implementations that fail to use DTLS's stateless cookie feature designed specifically to prevent these types of problems from occurring in the first place.

    Then we have commentary from people who should know better:

    "If the DTLS interface is needed, forcing the device to authenticate incoming DTLS connections is recommended, although it may degrade the device's performance as a result.

      If you are making use of Citrix ADC and have enabled DTLS/EDT (UDP via port 443) you might need to run this command: "set ssl dtlsProfile nsdtls_default_profile -helloVerifyRequest ENABLED". This will prevent you from future UDP amplification attacks"

    This is essentially the exact same thing as deploying a system with TCP SYN cookies disabled and justifying such rank insanity by proclaiming it degrades the device's performance.

    "Actually the vast majority of deploys will become unstable with that. To be safe until January, better block UDP. "

    Good grief.

Solutions are obvious if one only has the optical power to observe them over the horizon. -- K.A. Arsdall

Working...