Tag: DTLS

Citrix ADC, DTLS DDoS

Some customers currently experience high outgoing traffic from there Citrix ADC/NetScalers. Citrix has reported more about this in there article here:

Threat Advisory – DTLS Amplification Distributed Denial of Service Attack on Citrix ADC and Citrix Gateway

The fix is to upgrade to one of these versions:

  • Citrix ADC and Citrix Gateway 13.0-71.44 and later releases
  • NetScaler ADC and NetScaler Gateway 12.1-60.19 and later releases
  • Citrix ADC 12.1-FIPS 12.1-55.210 and later releases
  • NetScaler ADC and NetScaler Gateway 11.1-65.16 and later releases

Or you can disable DTLS.

In their article it is describe how-to disable DTLS on the Citrix Access Gateway configuration, but if you have a Content Switch in front this will not do it as the client session it terminated on the Content Switch vServer.

A quick test to show that:

My Content Switch vServer configuration:

My Access Gateway vServer configuration:

When I make a Citrix Session, I get this:

As you can see this Citrix Session is using DTLS.

If you have a Content Switch in front of your Access Gateway function you need to disable DTLS on the Content Switch configuration, or else you are still vulnerability for the DDoS attack. This is missing from the Citrix article.

Citrix HDX Adaptive Transport, Datagram Transport Layer Security (DTLS)

With the new release of Citrix XenDesktop/XenApp 7.16 the HDX Adaptive Transport it now turned on by default.

With that turned on, clients connecting through NetScaler Gateway will try to connect using UDP 443. If Firewall and NetScaler Gateway is not configured to communicate on UDP 443, the client will fallback to TCP 433.

I have noticed that it takes a short time before it will do the fallback (2-5 sec.). This give a longer logon time when the users are connecting through NetScaler Gateway. With the right configuration, you can eliminate that extra wait time for the users.

First, enable DTLS (Datagram Transport Layer Security) on the NetScaler Gateway configuration:

After enabling DTLS, you need to rebind the Server Certificate again. Do a unbind and a bind, then it will work.

The next is to enable UDP 443 on the Firewall Access and NAT rules. As there are many different Firewall’s I cannot tell you the way to do it one your Firewall.

I found that you can use nMap/Xenmap to test if your configuration of the Firewall and NetScaler Gateway configuration.

Use the flowing command to do the test:

nmap -sT -sU -p 443 -Pn <FQDN>

The test has to be run from a external computer, as we are testing the Firewall and NetScaler Gateway configuration.

This will test TCP 443 and UDP 443, and give this result if you’re Firewall and NetScaler Gateway is configured to accept TCP 433 and UDP 443:

There are different ways to see if a user is connected using UDP 443.

NetScaler Gateway GUI:

NetScaler Gateway CLI:

XenDesktop/XenApp Director:

Server/VDI VDA:

Citrix HDX Adaptive Transport, Datagram Transport Layer Security is supported with Citrix Receiver 4.7 or newer.

 

Powered by WordPress & Theme by Anders Norén