Jump to content
Welcome to our new Citrix community!

UDP:443 (EDT) DDOS amplify attack against Citrix (NetScaler) Gateway


Alfredo Vazquez

Recommended Posts

Hi,

I am seen a lot of DDOS attacks against our VPX, We need to use DTLS in our environment, Do you know if there is any currently fix to stop this attack other than blocking DTLS on VPX or firewall?

https://www.meinekleinefarm.net/potentially-ongoing-worldwide-udp443-edt-ddos-amplify-attack-against-citrix-netscaler-gateway/

Please advice

Link to comment
Share on other sites

1st to say: I have still not seen this DDOS attack on my system, so I have no experience with it.

 

I think, rate-limiting could help, but I'm not sure! Limit selector would be Top_CLIENTS (CLIENT.IP.SRC), and the limit identifier would be:

 

add ns limitIdentifier limit_IP -threshold 5 -timeSlice 300000 -selectorName Top_CLIENTS

add responder policy res_pol_DDOS "SYS.CHECK_LIMIT(\"limit_IP\")" DROP -logAction log_limit

 

This would allow 3 DTLS connections in 5 minutes.

 

ATTENTION: I don't try this. Probably this will mess up all DTLS connections, as it would count every UDP packet like a separate connection. I currently can't test, so you would need to give it a try.

 

Greetings from sunny (however, chilly) Austria

 

Johannes Norz

CTA, CCE-N, CCI

https://blog.norz.at

https://wonderkitchen.tech

Link to comment
Share on other sites

  • 2 weeks later...

I just today updated my testing environment Netscaler to the latest version 13 build (13.0-71.44), enabled the "HelloVerifyRequest" setting on the only DTLS policy on the Netscaler (the default policy) as per the instructions in CTX289674, re-enabled DTLS on the vserver, and finished up by re-enabling a rule on my firewall to allow UDP 443 through.  Almost immediately I saw a spike in traffic as I saw hits from foreign IP addresses again.  So, unless another reboot of the Netscaler is required to make the new setting effective, it did not appear to work for me.

Link to comment
Share on other sites

10 hours ago, Lindsay Paoli said:

I just today updated my testing environment Netscaler to the latest version 13 build (13.0-71.44), enabled the "HelloVerifyRequest" setting on the only DTLS policy on the Netscaler (the default policy) as per the instructions in CTX289674, re-enabled DTLS on the vserver, and finished up by re-enabling a rule on my firewall to allow UDP 443 through.  Almost immediately I saw a spike in traffic as I saw hits from foreign IP addresses again.  So, unless another reboot of the Netscaler is required to make the new setting effective, it did not appear to work for me.

 

Hm. Well. How could a policy on Citrix ADC keep traffic from flowing in? Isn't traffic coming from somewhere else?  How could Citrix find influence to something going on somewhere else?

The only thing, Citrix can do, is mitigating the effect this traffic has on Citrix ADC. So the question is not, does traffic spike up, as soon as an attacker finds UDP port 443 open, but does Citrix ADC react in a proper manner?

 

Just my 2 cents on this

 

Johannes

Link to comment
Share on other sites

7 hours ago, Johannes Norz said:

 

Hm. Well. How could a policy on Citrix ADC keep traffic from flowing in? Isn't traffic coming from somewhere else?  How could Citrix find influence to something going on somewhere else?

The only thing, Citrix can do, is mitigating the effect this traffic has on Citrix ADC. So the question is not, does traffic spike up, as soon as an attacker finds UDP port 443 open, but does Citrix ADC react in a proper manner?

 

Just my 2 cents on this

 

Johannes

 

 Correct.  Clearly, after opening UDP 443 on the firewall again and allowing it to flow to the vserver in our DMZ, the vserver on the Citrix ADC was still not handling the excessive traffic properly, despite the new firmware version and enabling HelloVerifyRequest on the DTLS policy as directed in the support article.  The net result was that the login page was immediately down from external locations due to the flood of incoming data.  As soon as I cut off UDP 443 on the firewall a second time, the login page came right back up.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...