Worldwide UDP:443 (EDT) DDOS on Citrix (NetScaler) Gateway

[German]Brief information and a question to the Citrix NetScaler administrators. Are you noticing increased UDP:443 (EDT) access to Citrix Netscaler gateway? Currently there is information that a massive DDoS campaign against Citrix NetScaler gateways has been running since December 19, 2020.


Advertising

German blog reader Timo B. just contacted me via email and pointed out the postPotentially ongoing worldwide UDP:443 (EDT) DDOS amplify attack against Citrix (NetScaler) Gateway (thanks for that). The operator of this blog dockumented a potential worldwide DDOS amplify attack against Citrix Gateway UDP:443 DTLS EDT services since December 19, 2020 7pm CET.

Zabbix Citrix Gateway Throughput Monitoring Graph
(Accessing Citrix Gateway, Source: meinekleinefarm.net, Click to Zoom)

The website operator writes that during the night from Saturday (12/19/2020) to Sunday (12/20/20), Zabbix monitoring sent out a message because several Citrix Gateway VPX (50) appliances had reached their license limit. When the operators investigated the whole thing, they quickly found out that there were 0 ICA sessions on most of the appliances. So there was no explanation for the traffic.

From that point, people took their Citrix Gateway VPX systems offline and started a more detailed investigation. This was because there was a suspicion that the VPX systems could be contaminated with malware or part of a botnet. Malware on the internal network, a DDOS attack or brute force attacks on the VPX gateways were also not ruled out.

After some testing, administrators were fairly certain that a DDOS attack was occurring from IP address 92.118.16.122 on their VPX gateways. Therefore, a test appliance was brought back online, but the potential source IPs of the DDOS attackers were blocked at the corporate firewall level. Immediately, bandwidth consumption on the Citrix VPX gateway dropped to zero.


Advertising

However, the blocking of the source IPs did not last long as the attackers switched to other IPs for the attack. It was necessary to completely block UDP:443 on the customer's gateway VIP at the corporate firewall level to fend off the DDOS attack. It is now clear that there are others affected, as documented by the folks in the post. The following tweet also reports this. 

DDoS-Angriffe auf Citrix VPX-Gateways

For those affected by these attacks, this post provides some additional information and suggestions for remediation. Thanks to blog reader Timo B. for pointing this out (the above tweet passed me by). Maybe it will help one or the other affected person.


Advertising

This entry was posted in devices, Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).