DTLS Servers Actively Abused by DDoS booters to Amplify DDoS Attacks
DDoS-For-Hire services now actively exploit misconfigured or Out-Of-Date DTLS Servers.
In December 2020, Citrix has issued an emergency advisory warning to its customers of a security issue affecting its NetScaler ADC (Application Delivery Controller) devices that attackers are abusing to launch amplified DDoS (Distributed Denial-of-Service) attacks against several targets.
The victims of these Citrix-based DDoS attacks have mostly included online gaming services, such as Steam and Xbox. You can read more about it here.
It seems a worldwide UDP:443 (EDT) DDOS attack against #NetScaler #gateway is active since last night. I found these source IP addresses of the attackers in my nstraces:
45.200.42.0/24
220.167.109.0/24
45.248.9.195
206.71.159.131
46.229.195.108
117.27.239.154
13.69.68.47
(1/3) pic.twitter.com/AuAg72BsEY— Daniel Weppeler (@_DanielWep) December 21, 2020
DatagramTransport Layer Security (DTLS) is a UDP-based version of the Transport Layer Security (TLS) protocol that provides security for datagram-based applications by allowing them to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.
What is a Denial of Service Attack (DDoS)?
According to our glossary, a Denial of Service Attack (DDoS) is a type of online attack used to prevent normal users from accessing an online location. In this case, a cybercriminal can prevent legitimate users from accessing a website by targeting its network resources and flooding the website with a huge number of information requests.
DDoS-for-hire platforms, also known as stressers or booters, offer malicious actors the ability to anonymously attack any Internet-connected target. They are now also using DTLS as an amplification vector which puts it in the hands of less sophisticated attackers.
Threat actors, pranksters, or hacktivists with no time to invest or skills to build their own DDoS infrastructure are frequently using booter services. They rent stresser services to cause various levels of disruption or launch DDoS attacks triggering a denial of service that commonly brings down targeted servers.
“As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, D/TLS reflection/amplification has been weaponized and added to the arsenals of so-called ‘booter/stresser’ DDoS-for-hire services, placing it within the reach of the general attacker population”
DDoS attacks using DTLS can reach an amplification factor of 35 according to German DDoS protection vendor Link11 or an amplification ratio of 37.34:1 based on info from DDoS mitigation firm Netscout.
In January, Citrix has released a feature enhancement to remove the amplification vector on NetScaler ADC devices with Enlightened Data Transport UDP Protocol (EDT) enabled.
This new DTLS feature improvement will address the susceptibility to this attack vector and will block attempts made by attackers to abuse them in future DDoS attacks by adding a “HelloVerifyRequest” setting.
“More than 4,200 DTLS servers are still reachable over the Internet and ripe for abuse in reflection/amplification DDoS attacks”, Netscout stated two months later.
Netscout has observed single-vector DTLS amplification DDoS attacks up to roughly 44.6 Gbps and multi-vector attacks of up to ~206.9 Gbps.
Heimdal® Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
In order to reduce these attacks, admins can either disable unnecessary DTLS services on Internet-exposed servers or patch/configure them to use the HelloVerifyRequest anti-spoofing mechanism to remove the DTLS amplification vector.
You can also learn what actions you need to take while you’re experiencing a DDoS Attack and how to detect one here.