Security News > 2021 > March > DDoS booters now abuse DTLS servers to amplify attacks

DDoS-for-hire services are now actively abusing misconfigured or out-of-date Datagram Transport Layer Security servers to amplify Distributed Denial of Service attacks.

According to reports that surfaced in December, a DDOS attack used DTLS to amplify traffic from vulnerable Citrix ADC devices that used DTLS configurations without a 'HelloClientVerify' anti-spoofing mechanism designed to block such abuse.

DDoS attacks using DTLS can reach an amplification factor of 35 according to German DDoS protection vendor Link11 or an amplification ratio of 37.34:1 based on info from DDoS mitigation firm Netscout.

Two months later, Netscout said that more than 4,200 DTLS servers are still reachable over the Internet and ripe for abuse in reflection/amplification DDoS attacks.

Netscout has observed single-vector DTLS amplification DDoS attacks up to roughly 44.6 Gbps and multi-vector attacks of up to ~206.9 Gbps. Adopted by DDoS booter services.

To mitigate such attacks, admins can either disable unnecessary DTLS services on Internet-exposed servers or to patch/configure them to use the HelloVerifyRequest anti-spoofing mechanism to remove the DTLS amplification vector.

News URL

https://www.bleepingcomputer.com/news/security/ddos-booters-now-abuse-dtls-servers-to-amplify-attacks/