Operators of DDoS-for-hire services are now taking advantage of misconfigured or outdated Datagram Transport Layer Security (D/TLS) servers to amplify Distributed Denial of Service (DDoS) attacks
DTLS is a protocol used to secure datagram-based communications. It's based on the stream-focused Transport Layer Security (TLS), providing a similar level of security. DTLS was developed to allow the transmission of encrypted data not only via secured, connection-oriented transport protocols such as TCP, but also via the connectionless UDP.
“It turns out to be a disadvantage that DTLS, like all UDP-based protocols, can be spoofed and that the reply packages can be significantly larger than the requests,” security researchers from German DDoS protection vendor Link11 explained.
According to the firm, DDoS attacks using DTLS can reach an amplification factor of 35, or an amplification ratio of 37.34:1, according to DDoS mitigation company Netscout.
“In comparison, the amplification factor for DNS amplification is between 28 and 54, and for amplification vector WS Discovery between 10 and 500,” Link11 said.
The reports about DDoS attacks using DTLS to amplify traffic from vulnerable Citrix Application Delivery Controller (ADC) systems with Enlightened Data Transport (EDT) enabled have been surfacing since December 2020.
In January 2021, the vendor released a fix to address the issue by adding a 'HelloVerifyRequest' setting to remove the attack vector, however, even two months later, nearly 4,283 D/TLS servers can still be abused for such DDoS attacks.
“The maximum observed single-vector D/TLS reflection/amplification DDoS attack size to date is ~44.6 Gbps. It has been utilized in multivector reflection/amplification DDoS attacks of up to ~206.9 Gbps in size,” Netscout said.
“The collateral impact of D/TLS reflection/amplification attacks is potentially quite high for organizations with D/TLS servers and/or load-balancers that are as reflectors/amplifiers. This may include partial or full interruption of mission-critical remote-access services, as well as additional service disruption due to transit capacity consumption, state-table exhaustion of stateful firewalls, load-balancers, etc…Wholesale filtering of UDP/443-sourced traffic by network operators may potentially overblock legitimate internet traffic, including legitimate D/TLS and QUIC, which also makes use of UDP/443 server responses.”