'KeyTrap' DNS Bug Threatens Widespread Internet Outages

We Keep you Connected

'KeyTrap' DNS Bug Threatens Widespread Internet Outages

Thanks to a 24-year-old security vulnerability tracked as CVE-2023-50387, attackers could stall DNS servers with just a single malicious packet, effectively taking out wide swaths of the Internet.
February 20, 2024
Although it's been sitting there since 2000, researchers were just recently able to suss out a fundamental design flaw in a Domain Name System (DNS) security extension, which under certain circumstances could be exploited to take down wide expanses of the Internet.
DNS servers translate website URLs into IP addresses and, mostly invisibly, carry all Internet traffic.
The team behind the discovery is from ATHENE National Research Center for Applied Cybersecurity in Germany. They named the security vulnerability "KeyTrap," tracked as CVE-2023-50387. According to their new report on the KeyTrap DNS bug, the researchers found that a single packet sent to a DNS server implementation using the DNSSEC extension to validate traffic could force the server into a resolution loop that causes it to consume all of its own computing power and stall. If multiple DNS servers were exploited at the same time with KeyTrap, they could be downed at the same time, resulting in widespread Internet outages, according to the team of academics.
In testing, the length of time the DNS servers remained offline after an attack differed, but the report noted that Bind 9, the most widely deployed DNS implementation, could remain stalled for up to 16 hours.
According to the Internet Systems Consortium (ISC), which oversees DNS servers worldwide, 34% of DNS servers in North America use DNSSEC for authentication and are therefore vulnerable to this flaw.
The good news is that there is no evidence of active exploit so far, according to the report and ISC.
ATHENE added that KeyTrap represents an entirely new class of cyberattacks, which the team named "Algorithmic Complexity Attacks."
The research team spent the past several months working with major DNS service providers, including Google and Cloudflare, to deploy necessary patches before making their work public. The team noted the patches are only a temporary fix and that it is working to revise DNSSEC standards to fully rethink its design.
"The researchers worked with all relevant vendors and major public DNS providers over several months, resulting in a number of vendor-specific patches, the last ones published on Tuesday, Feb. 13," according to the report. "It is highly recommended for all providers of DNS services to apply these patches immediately to mitigate this critical vulnerability."
Fernando Montenegro, Omdia's senior principal analyst for cybersecurity, praises the researchers for disclosing the flaw in close coordination with the vendor ecosystem.
"Kudos to the researchers," Montenegro says. "This was disclosed in coordination with researchers, service providers, and those responsible for creating a patch."
From here, its up to the service providers to find a path toward a permanent fix for affected DNS resolvers, he adds.
"Now the onus shifts to people running DNS servers to get the latest version and patch the vulnerability," Montenegro says.
The ISC does not recommend administrators disable DNSSEC validation on DNS servers, even though it does resolve the issue. For those running the open source DNS implementation Bind 9, the ICS has an update.
The ICS concludes: "We instead strongly advise installing one of the versions of BIND listed below, in which an exceptionally complex DNSSEC validation will no longer impede other server workload."
Becky Bracken, Editor, Dark Reading

You May Also Like
Your Everywhere Security guide: Four steps to stop cyberattacks
Your Everywhere Security Guide: 4 Steps to Stop Cyberattacks
API Security: Protecting Your Application’s Attack Surface
API Security: Protecting Your Application’s Attack Surface
Securing the Software Development Life Cycle from Start to Finish
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
How to Deploy Zero Trust for Remote Workforce Security
The Foundation for Building Scalable Applications to Fuel Customer Satisfaction and Growth
Understanding Today’s Threat Actors
Demystifying Zero Trust in OT
Secure Access for Operational Technology at Scale
Endpoint Best Practices to Block Ransomware
2023 Gartner Magic Quadrant for Single-Vendor SASE
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.