DDoS booters now abuse DTLS servers to amplify attacks

DDoS booters now abuse DTLS servers to amplify attacks

DDoS-for-hire services are now actively abusing misconfigured or out-of-date Datagram Transport Layer Security (D/TLS) servers to amplify Distributed Denial of Service (DDoS) attacks.

DTLS is a UDP-based version of the Transport Layer Security (TLS) protocol that prevents eavesdropping and tampering in delay-sensitive apps and services.

Already abused in single and multi-vector DDoS attacks

According to reports that surfaced in December, a DDOS attack used DTLS to amplify traffic from vulnerable Citrix ADC devices that used DTLS configurations without a ‘HelloClientVerify’ anti-spoofing mechanism designed to block such abuse.

DDoS attacks using DTLS can reach an amplification factor of 35 according to German DDoS protection vendor Link11 or an amplification ratio of 37.34:1 based on info from DDoS mitigation firm Netscout.

Citrix released a fix to remove the amplification vector on affected NetScaler ADC devices in January, adding a ‘HelloVerifyRequest’ setting to remove the attack vector.

However, two months later, Netscout said that more than 4,200 DTLS servers are still reachable over the Internet and ripe for abuse in reflection/amplification DDoS attacks.

Netscout has observed single-vector DTLS amplification DDoS attacks up to roughly 44.6 Gbps and multi-vector attacks of up to ~206.9 Gbps.

Adopted by DDoS booter services

DDoS-for-hire platforms, also known as stressers or booters, are now also using DTLS as an amplification vector which puts it in the hands of less sophisticated attackers.

Booter services are used by threat actors, pranksters, or hacktivists without the time to invest or skills to build their own DDoS infrastructure.

They rent stresser services to launch DDoS attacks triggering a denial of service that commonly brings down targeted servers or sites or causes various levels of disruption.

“As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, D/TLS reflection/amplification has been weaponized and added to the arsenals of so-called ‘booter/stresser’ DDoS-for-hire services, placing it within the reach of the general attacker population,” Netscout added.

To mitigate such attacks, admins can either disable unnecessary DTLS services on Internet-exposed servers or to patch/configure them to use the HelloVerifyRequest anti-spoofing mechanism to remove the DTLS amplification vector.

DHS-CISA also provides guidance on how to detect DDoS attacks and the measures you need to take while being DDoSed.