Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0018.3 DTLS Amplification Distributed Denial of Service Attack on Citrix ADC 12 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Citrix ADC Citrix Gateway Publisher: Citrix Operating System: Network Appliance Impact/Access: Denial of Service -- Unknown/Unspecified Resolution: Mitigation Original Bulletin: https://support.citrix.com/article/CTX289674 Revision History: January 12 2021: Enhancements Released in 12.1-FIPS January 5 2021: Enhancements Released January 4 2021: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Threat Advisory - DTLS Amplification Distributed Denial of Service Attack on Citrix ADC and Citrix Gateway Reference: CTX289674 Category : Medium Created : 23 December 2020 Modified : 11 January 2021 Applicable Products o Citrix ADC o Citrix Gateway Threat Information Citrix is aware of a DDoS attack pattern impacting Citrix ADC and Citrix Gateway. As part of this attack, an attacker or bots can overwhelm the Citrix ADC DTLS network throughput, potentially leading to outbound bandwidth exhaustion. The effect of this attack appears to be more prominent on connections with limited bandwidth. There are no known Citrix vulnerabilities associated with this event. Citrix recommends administrators be cognizant of attack indicators, monitor their systems and keep their appliances up to date. Attack Indicators To determine if a Citrix ADC or Citrix Gateway is being targeted by this attack, monitor the outbound traffic volume for any significant anomaly or spikes. Enhancements Citrix has added a feature enhancement for DTLS which, when enabled, addresses the susceptibility to this attack pattern. The enhancement builds are available on the Citrix downloads page for the following versions: o Citrix ADC and Citrix Gateway 13.0-71.44 and later releases o NetScaler ADC and NetScaler Gateway 12.1-60.19 and later releases o Citrix ADC 12.1-FIPS 12.1-55.210 and later releases o NetScaler ADC and NetScaler Gateway 11.1-65.16 and later releases Customers who do not use DTLS do not need to upgrade to the enhancement build. Instead, customers are recommended to disable DTLS by using the following ADC CLI command: set vpn vserver <vpn_vserver_name> -dtls OFF Customers using DTLS are recommended to upgrade to the enhancement build and enable "HelloVerifyRequest" in each DTLS profile by using the following ADC CLI instructions: o List all DTLS profiles by running the command: show dtlsProfile Inserting image... o For each DTLS profile, enable the "HelloVerifyRequest" setting by running the command: set dtlsProfile <dtls_Profile_Name> -HelloVerifyRequest ENABLED [0EM4z00000] o Save the updated configuration by running the command: savec [0EM4z00000] o To verify "Hello Verify Request" is enabled, run the command: show dtlsProfile [0EM4z00000] o If DTLS was disabled based on a previous version of this advisory, re-enable the DTLS profile by running the following command: set vpn vserver <vpn_vserver_name> -dtls ON Changelog Date Change 2020-12-23 Initial Publication 2021-01-04 Enhancements Released 2021-01-11 Enhancements Released in 12.1-FIPS - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX/0Te+NLKJtyKPYoAQh10hAAo4TNlh85eyXPh6jDf5lpFT5hS2AudnKx IV6WcLpmFKkMcvUZVOcp4NeW+Ms0jYKozzgcU0P+fHBpFFr/OBBUI1waoj6Ib3oz j8+ugHa1j9t9tUSX8SFrC22gx8M5oFWlCZkLNbkleoYQnIQYgHOOYOrKXW4uMFuU jnLZ3gBkJ+kKIZUYfEyDetAiBykRaiFahNc3DQl8lGilVrUlipE0YgQ39xcUdAC/ PjzoqbOoZVfijJZUr1r6cj95ILBXhGAa1p61/9stbBbVJZ/ybV2bKOgHoj6oW70u +TtSoT2vIEcTDZxGxSGx3bYCuUpBQuLge/YXBJW3unJx/GrFN4G2vATua8oIg/4x j3vUPdxR8OlaqP5Zs3WasQgRAnky3LaYBeQ9UtbMWI5l36PQBkYGMJp9tBQ83sP0 aNHIdcy9l8JQ0MZLKN+XY8ZwOF3akYQvcRyZbiMV+JxA/XUK2PAflPcntYjc6KLo IXpRC8x2YfptW2vijcH6G7jFtw3s7mevyuIy6aece0HP7Es2fb+puwpT4fMZmp/+ Mf/OP8CV6Qf1VkjqE6/B4RqRp8xVReURDKU4mGcmfWz8Aq3XOlhR7TVeS1x/6goC uovB/BjiQrhyXFEw+jfrVwkHpXFDCEorVRD/3SgohWBPmkhffNePENClDHXwl0ah VQ+WwtN+y34= =vGw6 -----END PGP SIGNATURE-----