Although it has been there since 2000, researchers were only recently able to discover a fundamental design flaw in a security extension to the Domain Name System (DNS), which under certain circumstances could be exploited to take down large swathes of the Internet.
DNS servers translate website URLs into IP addresses and, mostly invisibly, carry all Internet traffic.
The team behind the discovery comes from the ATHENE National Research Center for Applied Cyber Security in Germany. They called the security vulnerability “KeyTrap”, tracked as CVE-2023-50387. According to them new report on DNS KeyTrap bug, researchers found that a single packet sent to a DNS server implementation that uses the DNSSEC extension to validate traffic could force the server into a resolution loop that causes it to consume all its computing power and crash. According to the team of academics, if multiple DNS servers were exploited at the same time with KeyTrap, they could be taken down at the same time, resulting in widespread internet outages.
In testing, the length of time DNS servers remained offline after an attack varied, but the report noted that Bind 9, the most popular DNS implementation, could remain stalled for up to 16 hours.
According to the Internet Systems Consortium (ISC), which oversees DNS servers around the world, 34% of DNS servers in North America they use DNSSEC for authentication and are therefore vulnerable to this flaw.
The good news is that so far there is no evidence of active exploits, according to the report and the ISC.
New class of DNS cyber attacks
ATHENE added that KeyTrap represents an entirely new class of cyber attacks, which the team called “Algorithmic Complexity Attacks.”
The research team has spent the last few months working with major DNS service providers, including Google and Cloudflare, to implement the necessary patches before making their work public. The team noted that the patches are only a temporary solution and that it is working to revise the DNSSEC standards to completely rethink their design.
“Researchers worked with all relevant vendors and major public DNS providers for several months, resulting in a series of vendor-specific patches, the latest released on Tuesday, February 13,” according to the report. “All DNS service providers are strongly advised to immediately apply these patches to mitigate this critical vulnerability.”
Fernando Montenegro, Omdia’s senior principal analyst for cybersecurity, praises the researchers for revealing the flaw in close coordination with the vendor ecosystem.
“Congratulations to the researchers,” says Montenegro. “This was made known in coordination with researchers, service providers and those responsible for creating a patch.”
From here, it’s up to service providers to find a path to a permanent solution for affected DNS resolvers, he adds.
“Now the burden shifts to people using DNS servers to get the latest version and fix the vulnerability,” Montenegro says.
The ISC does not recommend that administrators disable DNSSEC validation on DNS servers, even if it solves the problem. For those using the Bind 9 open source DNS implementation, the ICS has an update.
The ICS concludes: “We instead strongly recommend installing one of the versions of BIND listed below, where exceptionally complex DNSSEC validation will no longer hinder the workload of other servers.”