Priya Patel
TLDR:
- A security vulnerability named KeyTrap (CVE-2023-50387) threatens widespread Internet outages by stalling DNS servers with a single malicious packet.
- Researchers identified the flaw in the DNSSEC extension, leading to an entirely new class of cyberattacks dubbed Algorithmic Complexity Attacks.
Thanks to a 24-year-old security vulnerability tracked as CVE-2023-50387, attackers could stall DNS servers with just a single malicious packet, effectively taking out wide swaths of the Internet. Although it’s been sitting there since 2000, researchers were just recently able to suss out a fundamental design flaw in a Domain Name System (DNS) security extension, which under certain circumstances could be exploited to take down wide expanses of the Internet.
The team behind the discovery is from ATHENE National Research Center for Applied Cybersecurity in Germany. They named the security vulnerability “KeyTrap,” tracked as CVE-2023-50387. According to their new report on the KeyTrap DNS bug, the researchers found that a single packet sent to a DNS server implementation using the DNSSEC extension to validate traffic could force the server into a resolution loop that causes it to consume all of its own computing power and stall.
If multiple DNS servers were exploited at the same time with KeyTrap, they could be downed simultaneously, resulting in widespread Internet outages. The good news is that there is no evidence of active exploit so far, according to the report and ISC.
ATHENE added that KeyTrap represents an entirely new class of cyberattacks, which the team named “Algorithmic Complexity Attacks.” The research team worked with major DNS service providers, including Google and Cloudflare, to deploy necessary patches before making their work public. The ISC does not recommend disabling DNSSEC validation on DNS servers, even though it resolves the issue.
Now the onus shifts to people running DNS servers to get the latest version and patch the vulnerability. The ICS concludes: “We instead strongly advise installing one of the versions of BIND listed below, in which an exceptionally complex DNSSEC validation will no longer impede other server workload.”
