This blog post was coauthored by Robert Reilly, Senior Technical Account Manager at Citrix.
The effect that hackers and malware are having on the economy has never been as significant as it is today. Recently, a Citrix admin leveraged a Citrix ADC feature to thwart a brute force attack that was costing his organization money and engineering resources.
Cyberthreats are wreaking havoc across the globe at the highest rate in history! Because of the global pandemic, much of the world now operates “remotely.” The rise of the remote workforce has expanded the attack surface for many organizations, and hackers are exploiting this. A Citrix administrator recently noticed that the Citrix ADCs that were front ending their customer-facing application was hit with a password-spraying attack, and it was quick thinking along with the IP Reputation (IPRep) functionality embedded in their Citrix ADC that got him out of this bind.
Password spraying is a type of brute force attack where a hacker leverages a botnet (a network of hijacked computers and devices that have been infected) to simultaneously “brute force” logins with a list of usernames and a few commonly used passwords. This can be particularly dangerous if a hacker can gain access to a system. Once in, they can expose vulnerabilities and can even access critical applications and sensitive data. This can be crippling for an organization, but fortunately there are ways to prevent password-spraying, DDoS, and brute force attacks by leveraging the IP Reputation functionality in Citrix ADC.
During a site upgrade, the customer identified an issue. Upgrades and migrations are generally when most organizations choose to take stock of issues, implement new optimizations, consolidate management, roll out new features, and streamline operations. During the upgrade of a customer service sales portal, they redirected the old application site URL to a new site URL. This is when they noticed that site availability became sporadic — it became unusable to users. This downtime started to cost the business, both in terms of revenue and the engineering cycles trying to correct the problem.
In testing, the random app outages stumped the engineers who were working on the upgrade, and they flipped the active site back to the old URL while troubleshooting. They could not figure out the cause of the outage or a solution.
Upon examination of the Citrix ADC that was front ending the application on the new public-facing site URL, it was noted that availability monitors on the ADC load balancer were going up, down, and up again. There was no redirect to the new site URL anymore, but the monitor still showed instability.
The Citrix engineer ran a Wireshark trace on the new application URL and observed that the site was taking millions of hits from random endpoints. Using this capture, he quickly determined that this attack was rapidly siphoning resources from the application and denying legitimate user traffic. HTTP requests were taking upwards of 500 seconds to resolve, which was unacceptable and directly impacted the ability of their customers to access customer portals and make purchases. Analysis of the traffic showed that the IP addresses hitting the URL were sourced from known malicious botnets. However, seeing the issue is of no use if you cannot defend against it.
The Citrix ADC not only provided insight into the app security but also enabled the admins to take immediate action to thwart the threat. Included in the Premium edition of Citrix ADC is an IP address reputation filter. It leverages the most up-to-date list of known malicious IPs from across the internet. It uses the Webroot Threat Intelligence Engine, which is dynamically updated every five minutes so customers always have the latest protection. Once these malicious requests are detected, they can be reset, dropped, or an IT admin can configure a responder policy to take a more specific action.
In this case, the Citrix admin quickly and easily configured the IPRep feature and leveraged it on the new app site to allow traffic to be sourced only from known geographic locations where their customer base existed. He watched as the number of hits dwindled from millions per day to a few thousand in just 24 hours.
The customer-facing application was seamlessly moved to the upgraded site and is efficiently serving customers today. The plan is to leverage the IPRep feature on all the customer’s public-facing assets by upgrading their Citrix ADC Standard licenses to Premium. It’s one of the easiest Citrix ADC features to configure, and it really gives you more bang for your buck.
Let’s look at just how easy it is to configure.
The IPRep feature is available for the Premium ADC licenses and standalone Citrix Web App Firewall licenses. It can be leveraged with either a Responder Policy or attached to a Web App Firewall profile to drop traffic from known malicious IP ranges and exploits.
Enabling the feature is as simple as entering ‘enable ns feature rep’ into the command-line of an ADC or navigating to System → Settings → Configure Advanced Features and marking the box next Reputation.
You can use the feature to block botnets, DDoS/DoS attacks, exploits, and spammers. Once enabled, the only pre-requisite is that the Citrix ADC has access to DNS and can reach https://apo.bcti.brightcloud.com via port 443 for reputation updates.
After you enable the feature, you can use an Advanced Syntax Policy with either the Responder or WAF features to block traffic based on category. Categories you can use include:
To block all malicious traffic at the ADC, you can use the following CLI command to implement and bind the firewall at the global level:
‘add appfw policy pol1 CLIENT.IP.SRC.IPREP_IS_MALICIOUS APPFW_BLOCK’ ‘bind appfw global pol1’
With these two commands, an admin can block any traffic originating from a known malicious source, as identified in the Webroot reputation database, and prevent unnecessary resource utilization on their Citrix ADC. (Please note, you might need to adjust this configuration based on your organization’s needs.)
Occasionally you may experience attacks from hosts not currently flagged as malicious. If that occurs or you receive reports from legitimate users having issues connecting, check their IP with the BrightCloud tool. There you will have the option to report an IP address that is not currently flagged for IP reputation but behaves maliciously. And if you have a repeat offender that is continuously attacking that IP reputation is not blocking, you can configure a Pattern Set to start creating a list of IPs for bad actors and stop them, as well.
Finally, what if your organization knows that all their legitimate traffic should come from North America? Refer to this Citrix support article to learn how to block all geographies outside North America.
IP Reputation is a feature that has proved to be an easy way for organizations to protect themselves against malicious attacks. It is easy to configure and can provide immediate protection and value to your organization today! Take a look at our IP Reputation product documentation to learn more!