iTnews Asia
  • Home
  • News
  • Security

DNS resolvers inherited specification bug

DNS resolvers inherited specification bug

One “Key Trap” packet can crash the target.

By Richard Chirgwin on Feb 16, 2024 10:45AM

A protocol error in the venerable Domain Name System Security Extensions (DNSSEC) specification, dubbed Key Trap, exposes DNS resolvers worldwide to denial-of-service attacks.

While CVE-2023-50387 only rates a CVSS score of 7.5, its ease of exploitation makes patching an urgent matter.

A team of researchers from Germany’s ATHENE cyber security research centre found the Key Trap error in the DNSSEC protocol, after they invented a class of attack they called Algorithmic Complexity Attacks.

“They demonstrated that just with a single DNS packet, the attack can exhaust the CPU and stall all widely used DNS implementations and public DNS providers, such as Google Public DNS and Cloudflare,” the researchers wrote.

“In fact, the popular Bind9 DNS implementation can be stalled for as long as 16 hours.”

The researchers say more than 31 percent of web clients use DNSSEC-validating resolvers, so the attacks affect not only DNS but also any application using it.

“An unavailability of DNS may not only prevent access to content but risks also disabling security mechanisms, like anti-spam defences, Public Key Infrastructures (PKI), or even inter-domain routing security like RPKI (Resource Public Key Infrastructure).”

The researchers did not provide technical detail on KeyTrap, but they say the protocol bug has existed for a long time.

The bug was inherited by the current specifications, RFC 6781 and RFC 6840 from the obsolete RFC 2535.

The ATHENE researchers say the bug has existed in the wild since at least August 2000 in the de facto standard Bind9 DNS resolver, and since August 2007 in the Unbound DNS resolver.

The Internet Systems Consortium, which maintains Bind9, has issued a patch, as has NLNetLabs, which maintains Unbound.

Microsoft patched the bug as part of Patch Tuesday, in Windows Server versions dating back as far as 2012.

Linux distributions inherit the bug in their DNSSEC-capable servers and will be patched as upstream patches become available.

Key Trap also affected public resolvers like Google Public DNS and Cloudflare, the researchers said.

While the ATHENE team said it’s been working with all major vendors to mitigate the attacks, a complete fix will require a redesign of the DNSSEC protocol.

To reach the editorial team on your feedback, story ideas and pitches, contact them here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
athene bind9 keytrap security

Related Articles

  • The best way to outsmart your threat actors is to think like one
  • How cybercriminals are exploiting LLMs to harm your business
  • Is identity now the next parameter of cybersecurity breaches?
  • Cybersecurity threats CISOs should be most worried about in 2025
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

The best way to outsmart your threat actors is to think like one

The best way to outsmart your threat actors is to think like one
What are the most pressing cyber security concerns going into 2025?

What are the most pressing cyber security concerns going into 2025?
Malaysia ramps up cyber security defense to stem rising fraud and ransomware attacks

Malaysia ramps up cyber security defense to stem rising fraud and ransomware attacks
How cybercriminals are exploiting LLMs to harm your business

How cybercriminals are exploiting LLMs to harm your business
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of Lighthouse Independent Media's Privacy Policy and Terms & Conditions.