DTLS, like other UDP-based protocols, is susceptible to spoofing, which means it can be used as a DDoS amplification vector. That is, a hacker can send small DTLS packets to a DTLS-enabled device, and the response will be returned to the victim’s address in the form of a much larger packet.
According to experts, earlier this vector of attack amplification was used only by advanced attackers, but now the use of DTLS has become more accessible and even a variety of services for DDoS attacks for hire offer it.
Experts estimate that DTLS can amplify an attack 37 times. The largest attacks seen by Netscout were at approximately 45 Gbps. Moreover, attackers combined DTLS with other amplification vectors, resulting in approximately 207 Gbps.
“Attacks consist of two or more separate vectors, organized in such a way as to hit the target with all of these vectors at the same time. Such multi-vector attacks are the online equivalent of a combined-arms attack, and their main idea is to crush the defenders, both in terms of attack power and making it as difficult as possible to mitigate it, ”the experts say.
Netscout reports that there are over 4,300 servers on the network currently vulnerable to this problem. Most often, it is a misconfiguration and outdated software that disables anti-spoofing mechanisms. In particular, it was previously noted that Citrix Netscaller Application Delivery Controller devices are often vulnerable, although Citrix developers have already urged customers to upgrade to a newer version of the software, where anti-spoofing is enabled by default.