This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sigbjorn
Advisor
Advisor
‎2021-01-08 05:17 AM

DTLS Amplification DDoS Attack on Citrix ADC and Citrix Gateway

Hi,

I'm sure you're all aware of this attack by now, more details can be found on Citrix webpage: https://support.citrix.com/article/CTX289674

 

We have upgraded our environments and enabled "Hello Verify Request", but even so, there amount of actors attempting to abuse this is filling our connection tables and causing issues for our legitime traffic.

Disabling DTLS altogther seems like the best solution so far, as they give up faster, but we still see connection spikes from time to time and would like to know how we can handle it better.

Are there any IPS signatures, or other ways to throttle the udp/443 traffic from the threat actors abusing this?

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2021-01-11 06:17 PM

You can definitely rate limit these inbound connections using fw samp/sam erdos or similar.
Other than that, I'm not aware of a specific action you can take here.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2021-01-12 01:04 AM

Geo policy/blocking might also help depending on the specific origins of what you're seeing.

 

 

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events