Security researchers have discovered a major flaw in the DNS system that could “completely disable” large parts of the Internet around the world for extended periods.
Cybersecurity researchers from the National Center for Applied Cybersecurity Research ATHENE, Goethe University Frankfurt, Fraunhofer SIT and the Technical University of Darmstadt recently found a flaw in the Domain Name System Security Extension (DNSSEC), a security that adds an extra layer of protection. to the Domain Name System (DNS).
With DNSSEC, DNS records obtain a digital signature confirming that they were not modified or falsified in transit.
Fixes available
The flaw, tracked as CVE-2023-50387, was named KeyTrap and, in short, allows threat actors to mount long-lasting denial of service (DoS) attacks against various Internet applications and programs. “Exploitation of this attack would have serious consequences for any application that uses the Internet, including the unavailability of technologies such as web browsing, email, and instant messaging,” ATHENE said in an advisory. “With KeyTrap, an attacker could completely disable much of the Internet around the world,” the researchers warned.
A patch has already been developed and is being deployed at the time of this publication.
Akamai figures show that almost a third of all Internet users are susceptible to KeyTrap, beepcomputer reported.
The vulnerability, they further explained, was present in DNSSEC for more than two decades, but was never discovered or exploited due to the complexity of DNSSEC validation requirements. The attacks would cause a denial of service lasting between one minute and 16 hours.
In early November 2023, the researchers demonstrated their findings to Google and Cloudflare, with whom they have been working on mitigations since then. Now, Akamai has already released mitigations for its DNSi recursive resolvers, and both Google and Cloudflare have also deployed their patches.
While fixing the issue is good news, the researchers emphasize that to be safe from future similar threats, the entire DNSSEC design philosophy must be reevaluated.