URL has been copied successfully!
KeyTrap DNSSEC: The day the internet (almost) stood still
URL has been copied successfully!

Collecting Cyber-News from over 60 sources

A severe vulnerability in the internet lookup protocol DNSSEC carried the potential to make much of the web functionally inaccessible for many, according to a presentation at Black Hat Europe.DNSSEC (Domain Name System Security Extensions) offers mitigation against various types of cyberattacks, including DNS spoofing and cache poisoning, by providing a way to cryptographically authenticate DNS responses and verify data integrity. The technology, first applied at the root level in 2010, had a slow rollout but is currently deployed to about a third of the systems on the internet.During their presentation at Black Hat on Wednesday, researchers from Germany’s National Research Centre for applied cybersecurity (ATHENE) explained how the KeyTrap (CVE-2023-50387) vulnerability created a resource exhaustion condition for machines running DNSSEC-validated DNS services.KeyTrap attacks exploit algorithmic complexity, for example, in validating signatures against DNSSEC keys, to tie up resources and stop resolvers from handling valid requests.A single 100-byte DNS request can cause a resolver to cease responding for between two minutes and 16 hours, depending on the implementation. Because the vulnerability exploited features of the DNSSEC standard designed to support functions such as key rollover and algorithm rollover, all implementations were vulnerable.Researchers Elias Heftrig and Niklas Vogel, part of the four-person ATHENE team, explained during their talk at Black Hat the roots of the problem and how it was resolved through a month-long confidential disclosure process. They worked with vendors and operators including ISC (BIND), Google, Cloudflare, and Akamai to develop mitigations and patches, which were rolled out in February 2024.Resolving the vulnerability involved creating stable and secure software that “intentionally disobeys RFC requirements.” The patches worked by limiting the number of validations performed by resolvers.No attack based on the vulnerability ever happened, which is just as well because if it did it would have effectively disabled any DNSSEC-validating resolver, impacting various services that rely on DNS, including web browsing, email, and TLS. The internet effectively “dodged a bullet,” the researchers argue.Despite the arduous process, Heftrig told CSO he still has faith in DNSSEC as superior to legacy technologies and more advanced in its development than potential alternatives.

First seen on csoonline.com

Jump to article: www.csoonline.com/article/3623544/keytrap-dnssec-the-day-the-internet-almost-stood-still.html

Loading

Share via Email
Share on Facebook
Tweet on X (Twitter)
Share on Whatsapp
Share on LinkedIn
Share on Xing
Copy link