Do you remeber December 2019? Or even early January 2020? Those CVE-2019-19781 vulnerability, later known as “Shitrix”? Pretty sure, you will. Well, since Dec 19th we see massive DTLS DDoS attacks against Citrix ADC / Gateway vServers exposed to the Internet. Read on and learn what you should do NOW.
Some Citrix / network admins reported licence overcommitment with their ADC instances, some see and saw massive (half-open) 443/udp sessions with their firewalls. We haven’t got information about a specific CVE or similar yet, but at the moment, please DROP all 443/udp traffic hitting the external ADC / Gateway vServer IP addresses if you are using 443/udp access to your Citrix / RDS environment. To be clear: environments, where EDT / DTLS is not used and internal ADC Load Balancers are not affected by the attacks.
When it comes to ADC configuration, you’re able to configure DDoS protection in the DTLS default profile. User the following command here – for details see Citrix Developer Docs:
set ssl dtlsProfile nsdtls_default_profile -helloVerifyRequest ENABLED
Another possibility to mitigate the DDoS attacks out there is to disable DTLS in the Gateway vServer properties. In case you’re using ADC 13.0 builds, fully disable the dedicated DTLS vServer. In both cases, the client will fallback to https-tcp (443/tcp) and you’re fine.
Update: on Dec 23, Citrix released CTX289674.