Cyber Incident Victim: Citrix Systems
Date:
Dec 2020
Location:
United States of America
Summary
Citrix confirmed a DDoS attack exploiting DTLS amplification against NetScaler ADCs with EDT enabled, causing potential bandwidth exhaustion particularly on limited-bandwidth connections. The company stated the incident affected a small number of customers and involved overwhelming ADC DTLS throughput without exploiting vulnerabilities. A feature enhancement to eliminate the susceptibility is under development, while temporary mitigation involves disabling DTLS, which may degrade performance for real-time applications relying on the protocol.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 24, 2020, Citrix publicly confirmed an ongoing distributed denial-of-service (DDoS) attack pattern targeting its NetScaler Application Delivery Controller (ADC) appliances with Enlightened Data Transport (EDT) enabled. The attack leveraged Datagram Transport Layer Security (DTLS) protocol as an amplification vector, exploiting UDP port 443 to overwhelm network throughput. Initial customer reports of anomalous traffic targeting Citrix Gateway devices began emerging on December 21, 2020, with affected parties observing sustained attack patterns designed to exhaust outbound bandwidth capacity. The DTLS protocol, adapted from TLS to secure delay-sensitive applications, became the primary attack mechanism due to its datagram-based design. Analysis indicated the attack's impact disproportionately affected environments with constrained bandwidth connections, though Citrix characterized the incident's scope as limited to a small subset of customers. Security researchers and administrators publicly shared attacker IP addresses observed in network traces, including ranges from 45.200.42.0/24, 220.167.109.0/24, and specific addresses such as 45.248.9.195 and 206.71.159.131. Citrix's threat advisory explicitly stated no evidence indicated exploitation of software vulnerabilities in Citrix products, distinguishing the incident from vulnerability-based attacks.
Citrix immediately recommended temporary mitigation through disabling DTLS functionality via the command-line interface using "set vpn vserver -dtls OFF," acknowledging potential performance degradation for real-time applications dependent on DTLS encryption. The company clarified that environments not utilizing DTLS would experience no adverse effects from this mitigation. For organizations requiring continued DTLS operation, Citrix directed customers to contact technical support for assistance. Concurrently, Citrix engineers developed a permanent feature enhancement to eliminate the DTLS susceptibility, with plans to release updated firmware for all supported ADC versions by January 12, 2021. The security response team committed to publishing additional advisories if subsequent investigation revealed underlying product vulnerabilities contributing to DDoS susceptibility. Network telemetry from affected customers showed the global attack pattern persisted for multiple days, though Citrix's containment guidance and planned engineering resolution aimed to neutralize the threat vector within three weeks of initial detection.