DDoS amplify attack targets Citrix Application Delivery Controllers (ADC)

Pierluigi Paganini December 25, 2020

Citrix confirmed that a DDoS attack is targeting Citrix Application Delivery Controller (ADC) networking equipment.

The threat actors are using the Datagram Transport Layer Security (DTLS) protocol as an amplification vector in attacks against Citrix appliances with EDT enabled.

The DTLS protocol is a communications protocol for securing delay-sensitive apps and services that use datagram transport.

Datagram Transport Layer Security (DTLS) is a communications protocol that provides security for datagram-based applications by allowing them to communicate in a way that is designed[1][2] to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees.

Anyone seen UDP reflect DDoS attacks on #citrix #netscaler lately??
— Marius Sandbu (@msandbu) December 20, 2020

It seems a worldwide UDP:443 (EDT) DDOS attack against #NetScaler #gateway is active since last night. I found these source IP addresses of the attackers in my nstraces:
45.200.42.0/24
220.167.109.0/24
45.248.9.195
206.71.159.131
46.229.195.108
117.27.239.154
13.69.68.47
(1/3) pic.twitter.com/AuAg72BsEY
— Daniel Weppeler #AVDPunks (@_DanielWep) December 21, 2020

Most of the victims of these attacks are in the gaming industry.

The attacks began last week, the systems administrator Marco Hofmann first detailed them.

“Since 19 December 2020 7pm CET we see a possible worldwide DDOS amplify attack against Citrix Gateway UDP:443 DTLS EDT services.” wrote Hofmann.

Hofmann determined the involvement of the DTLS protocol, which is spoofable allowing the amplification of malicious traffic of DDoS attacks.

The amplification factor DTLS-based DDoS attacks was known to be 4 or 5 times the original packet, but Hofmann discovered that the DTLS implementation on Citrix ADC devices allows attackers to achieve a 36 amplification factor.

“Citrix is aware of a DDoS attack pattern impacting Citrix ADCs. As part of this attack, an attacker or bots can overwhelm the Citrix ADC DTLS network throughput, potentially leading to outbound bandwidth exhaustion. The effect of this attack appears to be more prominent on connections with limited bandwidth.” reads the advisory published by Citrix. “At this time, the scope of attack is limited to a small number of customers around the world, and further, there are no known Citrix vulnerabilities associated with this event.”

Citrix plans to address the issue with the release of a security update in January 2020.

To mitigate these attacks admins could disable the Citrix ADC DTLS interface if not needed. In case the DTLS interface could not be disabled it is possible to force the device to authenticate incoming DTLS connections. This latter case could have an impact on the performance of the devices.

To disable DTLS on a ADC equipment admins could issue the following command from the command line interface:

set vpn vserver -dtls OFF

“Disabling the DTLS protocol may lead to limited performance degradation to real time applications using DTLS in your environment,” the company added.

“The extent of degradation depends on multiple variables. If your environment does not use DTLS, disabling the protocol temporarily will have no performance impact.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, DDoS)

[adrotate banner=”5″]

[adrotate banner=”13″]

Citrix DDoS Gaming Hacking hacking news information security news IT Information Security malware Pierluigi Paganini Security Affairs Security News

Pierluigi Paganini December 05, 2025

BRICKSTORM backdoor exposed: CISA warns of advanced China-backed intrusions

Pierluigi Paganini December 04, 2025