Citrix has release updated info regarding the DTLS amplification / DDoS issue. Specifically, they released updated Citrix ADC builds for versions 13.0, 12.1, and 11.1 as described here:
Threat Advisory – DTLS Amplification Distributed Denial of Service Attack on Citrix ADC and Citrix Gateway
We’re currently tracking a potentially ongoing worldwide Distributed Denial-of-Service (“DDoS”) attack on UDP port 443 against Citrix Gateway that started on or around December 19. Citrix Gateway utilizes UDP for Enlightened Data Transport (“EDT”) which can provide a better experience over low bandwidth / high latency connections than TCP. EDT is typically set to preferred by default, meaning that if UDP is supported end-to-end between Workspace App on the client side and a VDA on the corporate network then it will be used, else the connection will seamlessly use TCP instead. With that in mind, there are two suggested workarounds to address this issue while a permanent fix from Citrix is pending:
- Block UDP 443 at the firewall so that it does not get through to the Citrix Gateway vServer on a Citrix ADC.
- Disable DTLS on the Citrix Gateway vServer.
The result of both approaches is Citrix connections will use TCP exclusively, as UDP will fail at either the firewall or the Gateway. We’re aware of a third proposed solution involving the following command applied to the Citrix ADC:
set ssl dtlsProfile nsdtls_default_profile -helloVerifyRequest ENABLED
However, there reports of a memory leak affecting some Citrix ADC versions/builds after that command is applied, rendering them unresponsive. For that reason, we are not recommending that command unless advised to do so by Citrix technical support, until affected versions/builds are clarified.
Please contact our team if you would like assistance.