By exploiting a more than 20-year-old design flaw in the DNSSEC specification, a single packet can exhaust the processing power of a vulnerable DNS server, effectively disabling the machine.
That way, it’s easy to take down a DNSSEC-validating DNS resolver that hasn’t yet been patched, disrupting all clients that rely on that service and making your website or app appear as if it were offline. I can see it.
The academics who discovered the flaw are associated with the German National Center for Applied Cybersecurity Research (ATHENE) in Darmstadt, and when briefed on the vulnerability, the DNS server software maker called the flaw one of the most It claimed to be the worst DNS attack of all time.
It was identified by Professor Haya Schulman and Niklas Vogel of Goethe University Frankfurt. Elias Heftrig of Fraunhofer SIT. The security hole, named his KeyTrap and designated CVE-2023-50387, was assigned a CVSS severity rating of 7.5 out of 10, according to Professor Michael Waidner of Darmstadt University of Technology and Fraunhofer SIT and colleagues.
As of December 2023, approximately 31% of web clients worldwide use DNSSEC-validating DNS resolvers and, like other applications that rely on these systems, can be susceptible to KeyTrap attacks. there is. When these DNS servers are disabled due to defects, clients rely on DNS resolvers. Domain names and host names cannot be resolved to IP addresses and connectivity is lost.
Researchers found that a single DNS packet that exploits KeyTrap can bring down DNSSEC-verified public DNS services provided by Google and Cloudflare by forcing servers to perform calculations that overload their CPU cores. He said that there is a sex.
Not only can this DNS disruption deny people access to content, but it can also interfere with other systems such as spam protection, cryptographic protection (PKI), and interdomain routing security (RPKI). researchers claim.
“If exploited, this attack would severely impact any application that uses the Internet, including disabling technologies such as web browsing, email, and instant messaging,” they claimed. “KeyTrap allows attackers to completely disable large portions of the world’s Internet.”
Non-public technical documentation regarding vulnerabilities provided to registerThe article entitled “KeyTrap Denial of Service Algorithm Complexity Attack on DNS” describes how the attack is carried out. Basically, you ask a vulnerable DNSSEC-validating DNS resolver to look up an address, the server connects to a malicious name server, and the resolver sends a response that consumes most or all of its own CPU resources. Masu.
KeyTrap could allow attackers to completely disable large parts of the world’s internet
“To launch the attack, the adversary forces the victim’s resolver to search for records in the malicious domain,” the paper, which will be published soon, states. “The attacker’s name server responds to her DNS queries with a malicious record set (RRset) according to the specific attack vector and zone configuration.”
This attack is possible because the DNSSEC specification follows Postel’s Law, which states that “a name server should send all available cryptographic material, and a resolver should use any cryptographic material it receives until verification is successful.” The paper explains that it works.
This requirement to ensure availability means that DNSSEC validating DNS resolvers can be forced to do more work if there are key tags and key collisions that need to be validated.
“Our complexity attack is triggered by feeding DNS resolvers with specially crafted DNSSEC records that are constructed in a way that exploits validation vulnerabilities in the cryptographic validation logic,” the paper explains. Masu.
“When DNS resolvers try to validate the DNSSEC records they receive from our name servers, they hang up. Our attack is very stealthy, and a single DNS response can take a resolver anywhere from 170 seconds to 16 hours (depending on the resolver software. packet. “
ATHENE officials said they worked with all relevant vendors and major public DNS providers to privately disclose the vulnerability and allow for a coordinated patch release. The last patch was completed today.
“We are aware of this vulnerability and have worked with the researchers who reported it to deploy a fix,” a Google spokesperson said. register. “At this time, there is no evidence of exploitation and no action is required from users.”
Networking research institute NLnet Labs has released a patch for its Unbound DNS software that addresses two vulnerabilities, one of which is KeyTrap. Another fixed bug, CVE-2023-50868, called the NSEC3 vulnerability, also allows for denial of service due to CPU exhaustion.
“The KeyTrap vulnerability works by using a combination of keys (even colliding keys), signatures, and RRSET numbers on the malicious zone,” NLnet Labs wrote. “Responses from that zone can force the DNSSEC validator to go through a very CPU-intensive and time-consuming validation path.”
Meanwhile, PowerDNS has an update here to stop KeyTrap exploits.
“An attacker could expose a zone that contains crafted DNSSEC-related records. When validating the results of queries to that zone using RFC-mandated algorithms, Recursor’s resource usage could be reduced. could become very high, impacting the processing of other queries, and potentially causing a denial of service,” the team wrote. “Please note that resolvers that comply with the RFC may be affected; this is not an issue with this particular implementation.”
The CVE-2023-50387 fix is just one of six vulnerabilities addressed in the Internet Systems Consortium’s BIND 9 DNS software. Others include:
- CVE-2023-4408: Parsing large DNS messages can cause excessive CPU load.
- CVE-2023-5517: When ‘nxdomain-redirect’ is enabled, querying an RFC 1918 reverse zone can result in an assertion failure.
- CVE-2023-5679: Enabling both DNS64 and serve-stale can result in an assertion failure during recursive resolution.
- CVE-2023-6516: Certain recursive query patterns can lead to an out-of-memory condition.
- CVE-2023-50868: Preparing NSEC3 nearest neighbor proofs can exhaust CPU resources.
According to the research team that identified the KeyTrap vulnerability, the requirements for the KeyTrap vulnerability date back to 1999 in the now-obsolete RFC 2535. And by 2012, these elements appeared in RFC 6781 and RFC 6840, implementation requirements for DNSSEC validation.
1 pack is enough.You don’t need to do anything more to disconnect your entire network
KeyTrap has been present in the BIND 9 DNS resolver since at least August 2000 (over 23 years ago) and appeared in the Unbound DNS resolver seven years later.
“We’re thrilled to be able to provide the most advanced technology in the world,” said Dr. Haya Schulman, a professor of computer science and one of the academics supporting the KeyTrap research. register For telephone interviews, the attack is simple and can be performed by encoding it into a zone file.
“This vulnerability is actually recommended by the DNSSEC standard,” Professor Schulman explained. “One packet is enough; you don’t need to do more to disconnect the entire network.”
Professor Shulman said patches issued by various vendors broke standards. “The problem is that this attack is not easy to solve,” she says. “When I launch against the patched resolver, the CPU usage is 100%, but it is still responsive.”
The ATHENE team observed that although this flaw went undetected for decades, its obscurity is not surprising since DNSSEC validation requirements are so complex. The same goes for mitigating vulnerabilities, which would require revisions to the DNSSEC standard to completely eliminate them. ®
