Security researchers have discovered a major flaw in the DNS system that could “completely disable” large parts of the worldwide Internet for extended periods of time.
Cybersecurity researchers from the National Research Center for Applied Cybersecurity ATHENE, Goethe University Frankfurt, Fraunhofer SIT, and the Technical University of Darmstadt, recently found a flaw in the Domain Name System Security Extension (DNSSEC), a security protocol that adds an additional protection layer to the Domain Name System (DNS).
With DNSSEC, DNS records get a digital signature that confirms they weren’t changed, or forged, in transit.
Fixes available
The flaw, tracked as CVE-2023-50387, was named KeyTrap, and in short – allows threat actors to mount long-lasting denial-of-service (DoS) attacks against various internet applications and programs. “Exploitation of this attack would have severe consequences for any application using the Internet, including unavailability of technologies such as web-browsing, e-mail, and instant messaging,” ATHENE said in an advisory. “With KeyTrap, an attacker could completely disable large parts of the worldwide Internet,” the researchers warned.
A patch was already developed and is being deployed at press time.
Akamai’s figures show that almost a third of all internet users are susceptible to KeyTrap, BleepingComputer reported.
The vulnerability, they further explained, was present in DNSSEC for more than two decades, but was never discovered or exploited due to the complexity of the DNSSEC validation requirements. The attacks would result in the denial of service lasting anywhere between a minute and 16 hours.
In early November 2023, the researchers demonstrated their findings to Google and Cloudflare, with whom they’ve been working on mitigations, ever since. Now, Akamai already released mitigations for its DNSi recursive resolvers, and both Google and Cloudflare deployed their patches, as well.
While having the issue fixed is good news, the researchers stress that in order to be safe from future similar threats, the entire DNSSEC design philosophy should be reevaluated.
