Darmstadt and Frankfurt, February 13, 2024
ATHENE, the National Center for Applied Cybersecurity Research, has discovered a critical flaw in the design of DNSSEC, a security extension to the Domain Name System (DNS). DNS is one of the fundamental building blocks of the Internet. This design flaw has devastating effects on essentially all DNSSEC-validated DNS implementations and public DNS providers such as Google and Cloudflare. Professor Haya Schulmann of Goethe University Frankfurt and his ATHENE team have developed a new type of attack: KeyTrap. With just his one DNS packet, a hacker can bring down all widely used DNS implementations and public DNS providers. Successful exploitation of this attack can have severe impacts on applications that use the Internet, including disabling technologies such as web browsing, email, and instant messaging. KeyTrap allows attackers to completely disable large portions of the world’s Internet. Researchers worked with all relevant vendors and major public DNS providers for several months to create numerous vendor-specific patches. The last patch was published on his Tuesday, February 13th. We strongly recommend that all DNS service providers apply these patches. Please mitigate this critical vulnerability immediately.
Researchers at ATHENE, the National Center for Applied Cybersecurity Research in Darmstadt and Frankfurt, Germany, have discovered a critical flaw in the design of DNSSEC (DNS Security Extensions) that creates a vulnerability in all Domain Name System (DNS) implementations. did. The team, consisting of Professors Haya Schulmann and Niklas Vogel of Goethe University Frankfurt, Professor Elias Heftrich of Fraunhofer SIT, and Professor Michael Widener of Darmstadt University of Technology and Fraunhofer SIT, is developing a new class of so-called algorithmic complexity. developed. The attack they dubbed “KeyTrap.” They claim that with just one DNS packet, this attack can exhaust the CPU and bring down all widely used DNS implementations and public DNS providers such as Google Public DNS and Cloudflare. has been demonstrated. In fact, a typical Bind9 DNS implementation can be down for up to 16 hours. This devastating effect led major DNS vendors to call his KeyTrap “the worst DNS attack ever discovered.” The impact of a KeyTrap attack is far-reaching. By exploiting KeyTrap, an attacker can effectively disable Internet access in systems that utilize DNSSEC-validating DNS resolvers.
The attack vector exploited in the KeyTrap class of attacks has been registered in the Common Vulnerabilities and Exposures (CVE) database as comprehensive CVE-2023-50387.
DNS has evolved into the Internet’s fundamental system, underlying a wide range of applications and facilitating new technologies. According to recent measurements, as of December 2023, 31.47% of her web clients worldwide were using DNSSEC-verified DNS resolvers. Therefore, KeyTrap attacks not only affect DNS, but also all applications that use DNS. Unavailability of DNS not only prevents access to content, but also disables security mechanisms such as anti-spam defenses, public key infrastructure (PKI), and even interdomain routing security such as RPKI (resource public key infrastructure). There is also a risk of it happening.
The defect is not recent. The weak requirement already existed in the Internet standard RFC 2535, which was retired in 1999. In 2012, this vulnerability penetrated standards RFC 6781 and RFC 6840, which are requirements for implementing DNSSEC validation. This vulnerability has been in circulation since at least August 2000. This vulnerability is built into the Bind9 DNS resolver and was introduced in the Unbound DNS resolver code in August 2007. This vulnerability has been in the standard for about 25 years, actually 24 years, but was not recognized by the community. This is not surprising, as the flaws were difficult to identify due to the complexity of DNSSEC validation requirements. This exploit required many requirements to come together, so it wasn’t easy for even DNS experts to spot. The security community has had similar experiences with much simpler vulnerabilities such as Heartbleed and Log4j. These vulnerabilities existed but no one could see them, and it took years to notice and fix them. Unfortunately, in contrast to these vulnerabilities, the vulnerabilities identified by the ATHENE team are fundamentally rooted in the DNSSEC design philosophy and are not simply software implementation bugs, so they are not easy to resolve. . Since the vulnerability was first disclosed, the team has worked with all major vendors to mitigate implementation issues, but completely preventing attacks requires a fundamental rethinking of the underlying design philosophy of DNSSEC. It seems you need to. So it looks like DNSSEC needs to be revised. standard.
The National Center for Applied Cybersecurity Research ATHENE is a research center of the Fraunhofer Gesellschaft that unites the Fraunhofer Institute for Security Information Technology (SIT) and Computer Graphics Research (IGD), Darmstadt University of Technology, Goethe University Frankfurt and Darmstadt University. PhD in Applied Science. With more than 600 scientists, ATHENE is Europe’s largest cybersecurity research center and Germany’s leading scientific research institute in the field.
