ASERT Threat Summary

Date/Time:  16Mar2021 2200UTC
Severity:  Warning
Distribution:  TLP: WHITE 
Categories:  Availability
Contributors: Michele DiDedda, Jon Belanger, Chris Conrad.

Overview

Datagram Transport Layer Security (D/TLS) is a variant of the TLS encryption protocol implemented atop User Datagram Protocol (UDP), it is utilized to secure datagram-based applications to prevent eavesdropping, tampering, or message forgery. While an anti-spoofing mechanism was designed into D/TLS from the outset, it was described in the relevant IETF RFCs as ‘may’, rather than ‘must’ in terms of implementation requirements.  As a result, some D/TLS implementations do not leverage this anti-spoofing mechanism by default and can thereby be abused to launch D/TLS reflection/amplification DDoS attacks.

The default D/TLS configuration for some Citrix Netscaler Application Delivery Controllers (ADCs) running older software versions did not initially enable the organic D/TLS anti-spoofing mechanism by default, resulting in a population of Citrix Netscaler ADCs that could abused as D/TLS reflector/amplifiers.  It also led to the initial mischaracterization of this DDoS vector by some as Citrix-specific, while in practice there are other D/TLS implementations that, if misconfigured, could also be abused to launch D/TLS reflection/amplification attacks.  Citrix has issued patched software and publicly encouraged its customers to upgrade their Netscaler ADCs to non-abusable software versions.

Misconfigured D/TLS servers that do not implement the HelloClientVerify anti-spoofing mechanism can be abused to launch UDP reflection/amplification attacks with an amplification ratio of 37.34:1. The amplified attack traffic consists of both initial UDP fragmented packets sourced from UDP/443 and non-initial fragmented UDP packets, directed towards the destination IP address(es) and UDP port(s) of the attacker’s choice.

The maximum observed single-vector D/TLS reflection/amplification DDoS attack size to date is ~44.6 Gbps.  It has been utilized in multivector reflection/amplification DDoS attacks of up to ~206.9 Gbps in size. As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, D/TLS reflection/amplification has been weaponized and added to the arsenals of so-called ‘booter/stresser’ DDoS-for-hire services, placing it within the reach of the general attacker population.

Approximately 4,283 abusable D/TLS servers have been identified to date.

Collateral Impact  

The collateral impact of D/TLS reflection/amplification attacks is potentially quite high for organizations with D/TLS servers and/or load-balancers that are as reflectors/amplifiers. This may include partial or full interruption of mission-critical remote-access services, as well as additional service disruption due to transit capacity consumption, state-table exhaustion of stateful firewalls, load-balancers, etc.

Failure to upgrade or safely reconfigure abusable D/TLS servers so that they can no longer be leveraged by attackers may result in blockage of legitimate production services running on abusable D/TLS servers by network operators utilizing layer-3 or -4 mitigation techniques to defend themselves and/or their customers from D/TLS reflection/amplification DDoS attacks.

Wholesale filtering of UDP/443-sourced traffic by network operators may potentially overblock legitimate internet traffic, including legitimate D/TLS and QUIC, which also makes use of UDP/443 server responses.   

Mitigating Factors

Collateral impact to abusable D/TLS servers and/or load balancers can alert systems administrators to either disable unnecessary D/TLS services or to patch or configure them to make use of the HelloVerifyRequest anti-spoofing mechanism, thereby preventing them from being utilized in D/TLS reflection/amplification attacks.

Recommended Actions

Network operators should perform reconnaissance to identify and remediate abusable D/TLS servers on their networks and/or the networks of their downstream customers.

Network operators should implement all relevant network infrastructure, architectural, and operational Best Current Practices (BCPs).

Organizations with business-critical public-facing internet properties should implement all relevant network infrastructure, architectural, and operational BCPs, including situationally specific network access policies that only permit internet traffic via required IP protocols and ports. Internet access network traffic from internal organizational personnel should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links. 

DDoS defenses for all public-facing internet properties and supporting infrastructure should be implemented in a situationally appropriate manner, including periodic testing to ensure that any changes to organization’s servers/services/applications are incorporated into its DDoS defense plan.  On-site intelligent DDoS mitigation capabilities should be combined with cloud- or transit-based upstream DDoS mitigation services in order to ensure maximal responsiveness and flexibility during an attack.

It is imperative that organizations operating mission-critical public-facing internet properties and/or infrastructure ensure that all servers/services/application/datastores/infrastructure elements are protected against DDoS attacks and are included in periodic, realistic tests of the organization’s DDoS mitigation plan.  In many instances, we have encountered situations in which obvious elements such as public-facing Web servers were adequately protected, but authoritative DNS servers, application servers, and other critical service-delivery elements were neglected, thus leaving them vulnerable to attack.

Specifics of countermeasure selection, tuning, and deployment will vary based upon the particulars of individual networks/resources.

Applicable NETSCOUT Arbor Solutions:  Arbor Sightline, Arbor TMS, Arbor AED, Arbor Cloud

References

https://tools.ietf.org/html/rfc6347 
https://support.citrix.com/article/CTX289674 

ASERT Threat Summary: Datagram Transport Layer Security (D/TLS) Reflection/Amplification DDoS Attack Mitigation Recommendations - March 2021 - v1.0.