KeyTrap attack: Internet access disrupted with one DNS packet
A serious vulnerability in the DNSSEC feature could be exploited to deny internet access to applications for an extended period.
KeyTrap vulnerability in DNSSEC
KeyTrap is a serious vulnerability in the Domain Name System Security Extensions (DNSSEC) feature that can result in the denial of internet access to applications. It is tracked as CVE-2023-50387 and affects all popular DNS implementations or services.
DNSSEC is a feature of the DNS that provides authentication to responses by using cryptographic signatures on DNS records. This ensures that the DNS data is from a trusted source and has not been tampered with. KeyTrap has been present in the DNSSEC standard for over two decades.
Researchers from the National Research Center for Applied Cybersecurity ATHENE, alongside experts from Goethe University Frankfurt, Fraunhofer SIT, and the Technical University of Darmstadt, discovered the vulnerability.
Significant damage caused by a single attack request
The KeyTrap vulnerability arises from the requirement of DNSSEC to send all relevant cryptographic keys and signatures for validation, even if some keys are misconfigured or not supported. This design flaw allows attackers to exploit a new class of DNSSEC-based algorithmic complexity attacks.
By exploiting KeyTrap, attackers can significantly delay the response of a DNS resolver, increasing the CPU instruction count by up to 2 million times. The duration of the denial-of-service condition depends on the DNS resolver implementation, with a single attack request potentially causing a delay of anywhere from 56 seconds to 16 hours.
The potential consequences of this attack are severe, as it can disable large parts of the internet, affecting technologies like web browsing, email, and instant messaging.
Mitigations and impact on DNS service providers
KeyTrap has gone unnoticed for nearly 25 years due to the complexity of DNSSEC validation requirements. However, researchers have been working with DNS service providers like Google and Cloudflare to develop mitigations.
Akamai, a leading provider of content delivery network services, has developed and deployed mitigations for its DNS resolvers, including CacheServe and AnswerX. These mitigations limit cryptographic failures to a maximum of 32, making it extremely difficult to exhaust CPU resources and cause stalling.
Approximately 35% of U.S.-based and 30% of global internet users rely on DNS resolvers with DNSSEC validation, making them vulnerable to KeyTrap. Fixes have already been implemented in DNS services from Google and Cloudflare.