ZoomEye report on HTTPS DTLS protocol that is used in ddos reflection amplification attack mapping

Previously, ZoomEye released a survey report on the Plex UDP port used for reflection amplification DDos attacks (https://80vul.medium.com/zoomeye-report-nearly-40-000-plex-services-around-the-world-may-be-used-for-reflective-ddos-c1257dade7df ). Baidu Labs released a report (https://paper.seebug.org/1482/ ) on the use of https DTLS protocol for reflection amplification DDos attacks on February 5, 2021.

We noticed that as early as December 2020, we have seen some reports of reflection amplification attacks based on the HTTPS DTLS protocol,and These reports are attributed to the DTLS protocol service opened by Citrix (NetScaler) Gateway:

https://www.meinekleinefarm.net/potentially-ongoing-worldwide-udp443-edt-ddos-amplify-attack-against-citrix-netscaler-gateway/

https://msandbu.org/citrix-netscaler-ddos-and-deep-dive-dtls-protocol/

Subsequently, based on the report of Baidu Security Lab, this type of attack was also captured in January 2021. As a result, the ZoomEye team started the HTTPS DTLS protocol mapping work, and the data seen so far shows that more than 5000 HTTPS services have opened the DTLS protocol UDP port and from the distribution of ZoomEye data components (applications), Citrix NetScaler can be found the most. This is also in line with the above report.

It is currently the Chinese New Year holiday. I wish you all a happy Chinese New Year!

The Leader of the KnownSec 404 Team ( ZoomEye http://www.zoomeye.org SeeBug http://www.seebug.org KCon http://kcon.knownsec.com)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store