Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

   DTLS Amplification Distributed Denial of Service Attack on Citrix ADC
                              12 January 2021


        AusCERT Security Bulletin Summary

Product:           Citrix ADC
                   Citrix Gateway
Publisher:         Citrix
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Unknown/Unspecified
Resolution:        Mitigation

Original Bulletin: 

Revision History:  January 12 2021: Enhancements Released in 12.1-FIPS
                   January  5 2021: Enhancements Released
                   January  4 2021: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Threat Advisory - DTLS Amplification Distributed Denial of Service Attack on Citrix ADC and Citrix Gateway

Reference: CTX289674
Category : Medium
Created  : 23 December 2020
Modified : 11 January 2021

Applicable Products

  o Citrix ADC
  o Citrix Gateway

Threat Information

Citrix is aware of a DDoS attack pattern impacting Citrix ADC and Citrix
Gateway. As part of this attack, an attacker or bots can overwhelm the Citrix
ADC DTLS network throughput, potentially leading to outbound bandwidth
exhaustion. The effect of this attack appears to be more prominent on
connections with limited bandwidth.

There are no known Citrix vulnerabilities associated with this event.

Citrix recommends administrators be cognizant of attack indicators, monitor
their systems and keep their appliances up to date.

Attack Indicators

To determine if a Citrix ADC or Citrix Gateway is being targeted by this
attack, monitor the outbound traffic volume for any significant anomaly or


Citrix has added a feature enhancement for DTLS which, when enabled, addresses
the susceptibility to this attack pattern. The enhancement builds are available
on the Citrix downloads page for the following versions:

  o Citrix ADC and Citrix Gateway 13.0-71.44 and later releases
  o NetScaler ADC and NetScaler Gateway 12.1-60.19 and later releases
  o Citrix ADC 12.1-FIPS 12.1-55.210 and later releases
  o NetScaler ADC and NetScaler Gateway 11.1-65.16 and later releases

Customers who do not use DTLS do not need to upgrade to the enhancement build.
Instead, customers are recommended to disable DTLS by using the following ADC
CLI command:

set vpn vserver <vpn_vserver_name> -dtls OFF

Customers using DTLS are recommended to upgrade to the enhancement build and
enable "HelloVerifyRequest" in each DTLS profile by using the following ADC CLI

  o List all DTLS profiles by running the command:

show dtlsProfile

Inserting image...

  o For each DTLS profile, enable the "HelloVerifyRequest" setting by running
    the command:

set dtlsProfile <dtls_Profile_Name> -HelloVerifyRequest ENABLED


  o Save the updated configuration by running the command:



  o To verify "Hello Verify Request" is enabled, run the command:

show dtlsProfile


  o If DTLS was disabled based on a previous version of this advisory,
    re-enable the DTLS profile by running the following command:

set vpn vserver <vpn_vserver_name> -dtls ON


Date       Change
2020-12-23 Initial Publication
2021-01-04 Enhancements Released
2021-01-11 Enhancements Released in 12.1-FIPS

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967