ZoomEye report on HTTPS DTLS protocol that is used in ddos reflection amplification attack mapping

heige
2 min readFeb 10, 2021

--

Previously, ZoomEye released a survey report on the Plex UDP port used for reflection amplification DDos attacks (https://80vul.medium.com/zoomeye-report-nearly-40-000-plex-services-around-the-world-may-be-used-for-reflective-ddos-c1257dade7df ). Baidu Labs released a report (https://paper.seebug.org/1482/ ) on the use of https DTLS protocol for reflection amplification DDos attacks on February 5, 2021.

We noticed that as early as December 2020, we have seen some reports of reflection amplification attacks based on the HTTPS DTLS protocol,and These reports are attributed to the DTLS protocol service opened by Citrix (NetScaler) Gateway:

https://www.meinekleinefarm.net/potentially-ongoing-worldwide-udp443-edt-ddos-amplify-attack-against-citrix-netscaler-gateway/

https://msandbu.org/citrix-netscaler-ddos-and-deep-dive-dtls-protocol/

Subsequently, based on the report of Baidu Security Lab, this type of attack was also captured in January 2021. As a result, the ZoomEye team started the HTTPS DTLS protocol mapping work, and the data seen so far shows that more than 5000 HTTPS services have opened the DTLS protocol UDP port and from the distribution of ZoomEye data components (applications), Citrix NetScaler can be found the most. This is also in line with the above report.

It is currently the Chinese New Year holiday. I wish you all a happy Chinese New Year!

--

--

heige
heige

No responses yet