top of page

Citrix devices are being abused as DDoS attack vectors

Updated: Mar 11

Citrix devices are being exploited as potent vectors for launching Distributed Denial of Service (DDoS) attacks, raising concerns among IT security professionals and administrators. The vulnerability lies in the Datagram Transport Layer Security (DTLS) interface present in Citrix Application Delivery Controller (ADC) devices, which attackers have leveraged to amplify junk web traffic and orchestrate large-scale DDoS attacks.

Citrix has acknowledged a critical vulnerability in its ADC networking equipment that threat actors have exploited to launch Distributed Denial of Service (DDoS) attacks. The flaw revolves around the Datagram Transport Layer Security (DTLS) interface present in Citrix ADC devices. Unlike the Transmission Control Protocol (TCP), DTLS operates on the User Datagram Protocol (UDP), making it susceptible to spoofing and exploitation.

What sets this particular vulnerability apart is its unprecedented amplification factor. While typical DTLS-based DDoS attacks exhibit amplification factors of around 4 or 5, Hofmann's findings revealed a staggering factor of 35 on Citrix ADC devices. This makes them one of the most potent DDoS amplification vectors known to date.

Citrix has confirmed the issue and pledged to address it with a fix expected after the winter holidays, around mid-January 2020. The company emphasized that the DDoS attacks leveraging this vulnerability have affected only a small number of customers globally. However, the impact extends beyond security concerns, posing risks to IT administrators in terms of costs and uptime.

As a temporary mitigation measure, Citrix recommends disabling the DTLS interface on ADC devices if not in use. Alternatively, for organizations requiring DTLS functionality, enforcing authentication for incoming DTLS connections is advised, albeit at the potential expense of device performance. Until the permanent fix is released, these temporary measures can help mitigate the risk posed by the vulnerability in Citrix ADC devices.

Recent Posts

See All


bottom of page