4,200 vulnerable D/TLS servers that can be abused to amplify DDoS attacks by 37 times spotted by researchers

Citrix has updated its Netscaler ADCs and advises customers to upgrade

Researchers at DDoS mitigation provider Netscout say they have identified 4,283 publicly reachable servers that can be abused by cyber criminals to launch D/TLS reflection/amplification DDoS attacks.

A DDoS (distributed denial of service) attack is a powerful weapon available to cyber actors. Attackers target online systems or websites (server/network) by overwhelming them with massive volumes of traffic, more than they can accommodate.

The main goal behind such attacks is to create problems for the business by making their website inoperable. The disruption also causes problems for individual users who are prevented from accessing the services they require. Attackers can also use them to cover other activities, such as stealing data.

In DDoS attacks, the huge volume of traffic usually comes in the form of fake packets, requests for connections, and incoming messages.

Over the years, DDoS attacks have evolved into more destructive forms - increasingly focused on monetisation.

Researchers at web security firm Cloudflare stated in November that the number of DDoS attacks in Q3 of 2020 increased four times compared to the pre-pandemic levels in the first quarter.

Researchers at Netscout said on Tuesday that they are now observing DDoS-for-hire services adopting the Datagram Transport Layer Security (D/TLS) as a new amplification vector for DDoS attacks.

The main function of D/TLS is to protect User Datagram Protocol (UDP) data packets from eavesdropping and forgery.

According to the researchers, D/TLS abuse can allow DDoS-for-hire services to amplify their DDoS attacks by a factor of 37. Other amplification vectors identified by security experts in the past include the memcached database caching system, use of which can amplify an attack by 51,000 times, the Network Time Protocol (NTP), which can amplify the attack 58-fold, and misconfigured DNS servers with an amplification factor of 50.

The researchers say they have identified nearly 4,300 publicly accessible D/TLS servers that are vulnerable to the abuse either because of misconfigurations or due to use of obsolete software.

"The default D/TLS configuration for some Citrix Netscaler Application Delivery Controllers (ADCs) running older software versions did not initially enable the organic D/TLS anti-spoofing mechanism by default, resulting in a population of Citrix Netscaler ADCs that could be abused as D/TLS reflector/amplifiers," the researchers said.

Citrix has now updated Netscaler ADCs and is advising its customers to upgrade their software to a version in which anti-spoofing is enabled by default.

The biggest single-vector D/TLS reflection/amplification DDoS attack observed by Netscout delivered around 44.6 Gbps of traffic, but the attackers utilised reflection/amplification vectors in the attack to achieve a combined size of volume of 206.9 Gbps.

The Netscout team says that only advanced attackers with access to dedicated DDoS attack infrastructure were seen to be abusing the D/TLS vector previously, but it now appears that the so-called 'booter and stresser' DDoS-for-hire services have also adopted the technique, putting it within the reach of the general attacker population.