In a startling revelation, researchers from the National Research Center for Applied Cybersecurity ATHENE in Darmstadt and Frankfurt, Germany, have exposed a profound vulnerability within the design of DNSSEC (DNS Security Extensions), introducing a threat that permeates all DNS (Domain Name System) implementations. This discovery, labeled as a new class of Algorithmic Complexity Attacks named “KeyTrap,” poses a severe risk to the entire Internet infrastructure.
KeyTrap, developed by a team comprising Prof. Dr. Haya Schulmann, Niklas Vogel from Goethe University Frankfurt, Elias Heftrig from Fraunhofer SIT, and Prof. Dr. Michael Waidner from Technical University of Darmstadt and Fraunhofer SIT, demonstrated its potency by exploiting a fundamental design flaw in DNSSEC. With just a single DNS packet, this attack can exhaust the CPU, causing a stall in all widely used DNS implementations and even affecting major public DNS providers like Google Public DNS and Cloudflare. Notably, the widely utilized Bind9 DNS implementation can be paralyzed for up to 16 hours, prompting DNS vendors to dub KeyTrap as “The worst attack on DNS ever discovered.”
The devastating impact of KeyTrap extends its reach, as it can effectively disable Internet access in any system utilizing a DNSSEC-validating DNS resolver. The attack vectors have been cataloged in the Common Vulnerabilities and Exposures (CVE) database under the umbrella CVE-2023-50387.
What makes this vulnerability particularly alarming is its pervasive nature and the extensive time it has lurked within the Internet infrastructure. Stemming from obsoleted Internet standards like RFC 2535 (1999) and making its way into the implementation requirements for DNSSEC validation in RFC 6781 and RFC 6840 (2012), KeyTrap has existed in the wild for nearly 24 years, largely unnoticed. This complexity in DNSSEC validation requirements has made it challenging to identify these flaws, reminiscent of experiences with vulnerabilities like Heartbleed or Log4j.
Regrettably, the identified vulnerabilities are not simple to resolve, as they are deeply rooted in the design philosophy of DNSSEC and are not mere software implementation bugs. Collaborating with major vendors, the ATHENE team has been working towards mitigating these issues. However, it appears that addressing the problem at its core may necessitate a fundamental reconsideration of the underlying design philosophy of DNSSEC, calling for a revision of the DNSSEC standards.
This revelation underscores the urgency for the cybersecurity community to address these critical vulnerabilities and reassess the foundational principles governing DNSSEC to ensure the continued security and resilience of the Internet infrastructure.
Stay informed, stay vigilant. The ATHENE team’s findings serve as a wake-up call to collectively fortify the backbone of the digital world against unforeseen threats.
Link to press release from ATHENE may be found here.
[CyberSafe@Hackinbox ~]#
