Security researchers have discovered a critical flaw in the DNS system that could “completely disable” large parts of the world’s internet for an extended period of time.
Cybersecurity researchers from the Athens National Center for Applied Cybersecurity Research, Goethe University Frankfurt, Fraunhofer SIT, and Darmstadt University of Technology recently introduced Domain Name System Security Extensions (DNSSEC), a security protocol that adds an additional layer of protection. discovered a flaw. Connect to Domain Name System (DNS).
With DNSSEC, DNS records are digitally signed to ensure that they have not been altered or forged in transit.
Fixes available
The flaw, tracked as CVE-2023-50387, is named KeyTrap and, in short, allows attackers to launch long-lasting denial of service (DoS) attacks against various Internet applications and programs. Masu. “If exploited, this attack could severely impact any application that uses the Internet, including disabling technologies such as web browsing, email, and instant messaging,” ATHENE said in its advisory. . “Using KeyTrap, an attacker could completely disable large portions of the world’s Internet,” the researchers warned.
A patch has already been developed and is being deployed as of this article.
Akamai statistics show that nearly one-third of all Internet users are susceptible to KeyTrap. peepee computer report.
They further explained that this vulnerability has existed in DNSSEC for over 20 years, but was never discovered or exploited due to the complexity of DNSSEC validation requirements. This attack results in a denial of service lasting from 1 minute to 16 hours.
In early November 2023, researchers demonstrated their findings to Google and Cloudflare and have been working together on mitigations since then. Now, Akamai has already released mitigations for its DNSi recursive resolver, and both Google and Cloudflare have deployed patches as well.
While it’s good news that this issue has been fixed, researchers stress that the entire design philosophy of DNSSEC needs to be reevaluated to protect against similar threats in the future.
