KeyTrap DNS Bug Threatens Widespread Internet Outages
Thanks to a 24-year-old security vulnerability tracked as CVE-2023-50387, attackers could stall DNS servers with just a single malicious packet, effectively taking out wide swaths of the Internet.
Design Flaw in DNS Security Extension Discovered
Researchers have recently discovered a design flaw in a Domain Name System (DNS) security extension that has been present since 2000. This flaw could be exploited under certain circumstances to cause widespread internet outages.
DNS servers are responsible for translating website URLs into IP addresses and carrying all internet traffic. The vulnerability, known as KeyTrap or CVE-2023-50387, allows a single packet sent to a DNS server using the DNSSEC extension to force the server into a resolution loop.
The server will consume all its computing power and become stalled, potentially causing multiple DNS servers to crash at the same time and result in extensive internet outages.
Testing and Impact on DNS Servers
In testing, it was found that the duration of DNS server downtime varied. BIND 9, the most widely deployed DNS implementation, could remain stalled for up to 16 hours. This vulnerability affects 34% of DNS servers in North America that use DNSSEC for authentication.
So far, there is no evidence of active exploitation of this vulnerability. However, it is crucial for DNS service providers to apply the necessary patches immediately to mitigate the risk.
The researchers who discovered KeyTrap define it as a new class of cyberattack called 'Algorithmic Complexity Attacks'. They have been working with major DNS service providers to deploy patches, but emphasize that the patches are only a temporary fix. A revision of DNSSEC standards is needed to address the fundamental design flaw.
Next Steps and Recommendations
The researchers commend the close coordination with vendors and service providers to disclose the flaw and create patches. They urge DNS server administrators to update to the latest version and patch the vulnerability in order to mitigate the risk.
Disabling DNSSEC validation on DNS servers is not recommended, although it would resolve the issue temporarily. The Internet Systems Consortium advises organizations running the open source DNS implementation Bind 9 to install specific versions that address the vulnerability.
It is crucial for service providers and DNS administrators to prioritize a permanent fix for affected DNS resolvers to ensure the security and stability of the internet.
