Password Spraying – protect your Netscaler environments (13.0 and higher)

To understand what can be the problem with passwort spraying and how it can impact your NetScaler environment, we have to go one step back.

Passwort Spraying

First of all, we need to understand what it is. Password spraying attacks are a specific type of cyberattack that attempts to access multiple user accounts by using a small number of common or weak passwords. Unlike traditional brute force attacks, which focus on a single account, password spraying involves attackers testing the same password across many accounts. This allows them to bypass security mechanisms that would lock accounts after several failed login attempts.

These attacks are particularly effective because many users have simple or commonly used passwords. A single attempt per account with a password like ‘123456’ or ‘password123’ is hardly noticeable and does not trigger any automatic blocking. In companies with many employees, there is an increased likelihood that at least one account is protected by a weak password, opening the floodgates to attackers.

To protect against password spraying attacks, it is important to implement additional security measures. Multi-factor authentication (MFA), for example, creates an additional hurdle because access is not possible with a password alone. Using strong, unique passwords also makes such attacks less successful. Monitoring tools can help detect suspicious login attempts, and regular software updates close known security gaps.

Understanding this type of attack and implementing proactive security strategies are critical to maintaining IT security and guarding against increasingly sophisticated threats.

How can you protect your systems?

To protect against password spraying attacks, Citrix recommends implementing the following measures:

1. Multi-factor authentication (MFA): The introduction of MFA creates an additional layer of security that prevents unauthorised access even if passwords are compromised.
2. Strong password policies: Encourage users to use complex and unique passwords to reduce the likelihood of common passwords being successfully used.
3. Monitoring and alerting: Use monitoring tools to detect unusual login attempts and set up alerts to respond immediately to suspicious activity.
4. Limit login attempts: Implement mechanisms that limit the number of failed login attempts and block suspicious IP addresses. (Read my Blogpost about this)
5. Regular software updates: Ensure that all systems and applications, including NetScaler appliances, are up to date to close known security vulnerabilities.

Characteristics of the attacks

During the analysis, it was found that the observed password spraying attacks mainly focus on user authentication at older, pre-nFactor endpoints. These endpoints are particularly vulnerable because they are often not protected by modern authentication mechanisms that could provide an additional layer of security.

During such attacks, certain entries are made in the ns.log files. If messages appear in these logs that are present in an unusually high number and exceed the usual daily activity on the NetScaler or NetScaler Gateway, this indicates that an attack is taking place. Continuous monitoring of these log files is therefore essential to detect suspicious activity early and take countermeasures in time.

This attack pattern shows how important it is to update outdated authentication endpoints and implement security mechanisms such as multi-factor authentication. By regularly checking the logs and taking prompt action in the event of abnormalities, companies can better protect their systems against such attacks.

Dec 5 13:33:09 < > 10.110.13.215 12/05/2024:08:03:09 GMT n-test 0-PPE-0 : default SSLVPN Me
local0.info
Dec 5 13:33:09 < > 10.110.13.215 12/05/2024:08:03:09 GMT n-test 0-PPE-0 : default AAA Messa
local0.info
Dec 5 13:33:09 < > 10.110.13.215 12/05/2024:08:03:09 GMT n-test 0-PPE-0 : default SSLVPN Me
local0.info
Dec 5 13:33:09 < > 10.110.13.215 12/05/2024:08:03:09 GMT n-test 0-PPE-0 : default AAA Messa
local0.info
Dec 5 13:33:09 <local0.notice> 10.110.13.215 12/05/2024:08:03:09 GMT n-test 0-PPE-0 : default AAA
Messag Dec 5 13:33:09 < > 10.110.13.215 12/05/2024:08:03:09 GMT n-test 0-PPE-0 : default AAATM Mesas
local0.info
Dec 5 13:33:09 < > 10.110.13.215 12/05/2024:08:03:09 GMT n-test 0-PPE-0 : default AAA Messa
local0.info
Dec 5 13:33:09 < > 10.110.13.215 12/05/2024:08:03:09 GMT n-test 0-PPE-0 : default SSLVPN Me
local0.info
Dec 5 13:33:09 <local0.warn> 10.110.13.215 12/05/2024:08:03:09 GMT n-test 0-PPE-0 : default AAA LOGIN_FA Dec 5 13:33:09 < > 10.110.13.215 12/05/2024:08:03:09 GMT n-test 0-PPE-0 : default AAA Messa
local0.info

Recommended mitigations

The following mitigations are recommended:

1. Enable MFA!!! It’s just ridiculously easy to provide a system on the internet without an MFA today! And please enable the feature to prevent more tha a specific number of failed logins. Here you can find the article in my blog.

2. Create a responder policy to allow requests only for desired FQDN, as attacks are frequently targeting IP addresses rather than Gateway FQDNs. It should block Requests, which are not desired for your gateway

add responder policy IP_Block "HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ("yourhostname.domain").NOT" DROP
bind vpn vserver Gateway_vServer -policy IP_Block -priority 100

3. Create a responder policy to block the following end points if not utilizing historic pre-nFactor basic/classic authentication:

• /cgi/login
• /p/u/doAuthentication.do
• /p/u/getAuthenticationRequirements.do

This responder policy blocks auth requests before they are reaching your AAA service. It only works on NetScaler version greater or equal to 13.0

add policy patset patset_block_urls
bind policy patset patset_block_urls "/cgi/login"
bind policy patset patset_block_urls "/p/u/doAuthentication.do"
bind policy patset patset_block_urls "/p/u/getAuthenticationRequirements.do"

add responder policy policy_block_urls
"HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS_ANY(\"patset_block_urls\")" DROP

bind vpn vserver Gateway_vServer_name -policy policy_block_urls -priority 100
-gotoPriorityExpression END -type AAA_REQUEST

If you are using NetScaler WAF, you can also flollow this article from citrix.