A serious KeyTrap vulnerability in the Domain Name System Security Extensions (DNSSEC) feature could be exploited to deny Internet access to an application for an extended period of time.
KeyTrap, tracked as CVE-2023-50387, is a DNSSEC design issue that affects all popular Domain Name System (DNS) implementations or services.
This allows a remote attacker to cause a prolonged denial of service (DoS) condition on a vulnerable resolver by sending a single DNS packet.
DNS allows humans to access online locations by entering the domain name instead of the IP address of the server that the computer needs to connect to.
DNSSEC is a feature of DNS that provides cryptographic signatures for DNS records and provides authentication for responses. This validation ensures that the DNS data comes from the source, an authoritative name server, and has not been modified on its way to a malicious location.
Great damage with one attack request
KeyTrap has been present in the DNSSEC standard for over 20 years and was discovered by researchers at the National Center for Applied Cybersecurity Research ATHENE and experts from Goethe University Frankfurt, Fraunhofer SIT, and Darmstadt University of Technology.
The researchers explained that the issue stems from DNSSEC’s requirement to submit all cryptographic keys and corresponding signatures associated with supported ciphers for verification.
The process is the same even if some DNSSEC keys are configured incorrectly or belong to unsupported ciphers.
Taking advantage of this vulnerability, researchers developed a new class of DNSSEC-based algorithmic complexity attacks. This attack can increase the number of CPU instructions for a DNS resolver by a factor of 2 million, slowing down its response.
The duration of this DoS condition varies depending on the resolver implementation, but researchers say that a response to a single attack request can persist from 56 seconds to up to 16 hours.
“If exploited, this attack could have a significant impact on applications that use the Internet, including disabling technologies such as web browsing, email, and instant messaging,” ATHENE’s disclosure statement said. It has been.
“KeyTrap allows attackers to completely disable large portions of the world’s Internet,” the researchers said.
Complete details about this vulnerability and how it manifests in modern DNS implementations can be found in a technical report published earlier this week.
Researchers have been demonstrating how KeyTrap attacks affect DNS service providers like Google and Cloudflare since early November 2023, and helping develop mitigations.
According to ATHENE, KeyTrap has been in the widely used standard since 1999 and has been under the radar for nearly 25 years, primarily due to the complexity of DNSSEC validation requirements.
ATHENE says affected vendors have already made progress in remediating or mitigating KeyTrap risks, but addressing the issue at a fundamental level may require a re-evaluation of their DNSSEC design philosophy. states.
In response to the KeyTrap threat, Akamai developed and deployed mitigations for DNSi recursive resolvers such as CacheServe and AnswerX, as well as cloud and managed solutions, from December 2023 to February 2024.
This security gap allows attackers to wreak havoc on the functioning of the Internet, exposing one-third of the world’s DNS servers to highly efficient denial-of-service (DoS) attacks and targeting over 1 billion people. or more users may be affected. – Akamai
Akamai is vulnerable to KeyTrap because approximately 35% of US-based users and approximately 30% of worldwide Internet users rely on DNS resolvers that use DNSSEC validation, based on APNIC data. It points out that.
Internet company ATHENE did not share many details about the actual mitigations it implemented, but ATHENE’s paper states that Akamai’s solution limits encryption failures to a maximum of 32 and uses CPU resources. It is described as virtually impossible to run out and cause a stall.
Fixes already exist for Google and Cloudflare’s DNS services.
