https://community.checkpoint.com/t5/Firewall-and-Security-Management/DTLS-Amplification-DDoS-Attack-on-Citrix-ADC-and-Citrix-Gateway/m-p/107574#M56216 <P>Geo policy/blocking might also help depending on the specific origins of what you're seeing.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 12 Jan 2021 09:04:27 GMT Chris_Atkinson 2021-01-12T09:04:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DTLS-Amplification-DDoS-Attack-on-Citrix-ADC-and-Citrix-Gateway/m-p/107295#M56214 <P>Hi,</P> <P>I'm sure you're all aware of this attack by now, more details can be found on Citrix webpage: <A href="https://support.citrix.com/article/CTX289674" target="_blank">https://support.citrix.com/article/CTX289674</A></P> <P>&nbsp;</P> <P>We have upgraded our environments and enabled "Hello Verify Request", but even so, there amount of actors attempting to abuse this is filling our connection tables and causing issues for our legitime traffic.</P> <P>Disabling DTLS altogther seems like the best solution so far, as they give up faster, but we still see connection spikes from time to time and would like to know how we can handle it better.</P> <P>Are there any IPS signatures, or other ways to throttle the udp/443 traffic from the threat actors abusing this?</P> Fri, 08 Jan 2021 13:17:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DTLS-Amplification-DDoS-Attack-on-Citrix-ADC-and-Citrix-Gateway/m-p/107295#M56214 Sigbjorn 2021-01-08T13:17:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DTLS-Amplification-DDoS-Attack-on-Citrix-ADC-and-Citrix-Gateway/m-p/107556#M56215 <P>You can definitely rate limit these inbound connections using fw samp/sam erdos or similar.<BR />Other than that, I'm not aware of a specific action you can take here.</P> Tue, 12 Jan 2021 02:17:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DTLS-Amplification-DDoS-Attack-on-Citrix-ADC-and-Citrix-Gateway/m-p/107556#M56215 PhoneBoy 2021-01-12T02:17:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DTLS-Amplification-DDoS-Attack-on-Citrix-ADC-and-Citrix-Gateway/m-p/107574#M56216 <P>Geo policy/blocking might also help depending on the specific origins of what you're seeing.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 12 Jan 2021 09:04:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DTLS-Amplification-DDoS-Attack-on-Citrix-ADC-and-Citrix-Gateway/m-p/107574#M56216 Chris_Atkinson 2021-01-12T09:04:27Z