Warning: DDoS attacks on Citrix NetScaler (ADC)

[German]A brief information for Citrix NetScaler administrators. Now also CERT-Bund warns about worldwide UDP:443 (EDT) accesses to Citrix Netscaler gateways. Citrix has published a workaround.


I had already pointed out the problem in the blog post Worldwide UDP:443 (EDT) DDOS on Citrix (NetScaler) Gateway. Blog reader Timo B. had contacted me by mail and pointed out the post Potentially ongoing worldwide UDP:443 (EDT) DDOS amplify attack against Citrix (NetScaler. The operator of the above website has been observing a worldwide DDOS attack against Citrix Gateway UDP:443 DTLS EDT services since December 19, 2020 7pm CET.

CERT-Bund Warnung: DDoS-Angriffe auf Citrix NetScaler

Citrix has published a security advisory Threat Advisory – DTLS Amplification Distributed Denial of Service Attack on Citrix ADC as of December 24, 2020. It states that Citrix is aware of a DDoS attack pattern on Citrix ADC. As part of this attack, an attacker or bots can overload the Citrix ADC's DTLS network throughput, which can lead to outbound bandwidth exhaustion. The effect of this attack appears to be more pronounced on connections with limited bandwidth.

Small number of customers affected

Citrix is monitoring these events and continues to investigate the impact they have on Citrix ADC. At this time, the scope of the attack is limited to a small number of customers around the world, and beyond that, there are no known Citrix vulnerabilities associated with this event. If the Citrix Security Response Team determines that a product is vulnerable to DDoS attacks due to a flaw in Citrix software, the vendor plans to release information about affected products as a security bulletin.

Citrix currently recommends administrators look for attack indicators and monitor their systems. To determine if an ADC is affected by the attack, monitor the volume of outbound traffic for significant anomalies or spikes.


Temporarily mitigate attack possibility

Customers affected by this attack can temporarily disable DTLS to stop an attack and remove vulnerability to the attack. This is accomplished by entering the following CLI command on the Citrix ADC: 

set vpn vserver <vpn_vserver_name> -dtls OFF

The disabling of the DTLS protocol can cause limited performance degradation for real-time applications that use DTLS in your environment. The extent of the degradation depends on several variables. If DTLS is not used in your environment, temporarily disabling the protocol does not affect performance. Details can be found in this Citrix document.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *