Teacher
Professional
- Messages
- 2,669
- Reaction score
- 819
- Points
- 113
A critical breach in DNSSEC requires a review of key Internet security standards.
The German National Research Center for Applied Cybersecurity ATHENE has discovered a critical vulnerability in the domain name security system (DNSSEC), which can lead to serious consequences for the entire Internet.
A bug hidden in the DNSSEC specification for 24 years allows a single data packet to overload the server, making it inaccessible to users. This discovery may endanger the stability of the Internet, as it affects the basics of the domain name system.
DNSSEC, an extension for the domain name system, is designed to protect against data spoofing by using cryptography. However, the discovered vulnerability, called KeyTrap and designated as CVE-2023-50387, can bypass this protection, causing excessive load on the server processor.
Researchers have discovered that a KeyTrap attack can completely block the operation of public DNS services such as Google and Cloudflare.
The consequences of an attack can be truly devastating, including disrupting access to websites, email, and instant messages. It is estimated that about 31% of Internet customers worldwide use vulnerable DNS resolvers and may be affected by this vulnerability.
The security flaw allows attackers to conduct attacks by forcing DNS resolvers to perform complex calculations, which causes them to stop for a period of several seconds to 16 hours. The attack is based on a specific response from a malicious server that causes processor congestion when attempting DNSSEC validation.
DNS server software developers and major DNS providers have already released patches to address the vulnerability. Google, NLnet Labs and PowerDNS have confirmed the release of updates aimed at preventing KeyTrap exploitation. At the same time, as the researchers noted, the complete elimination of the vulnerability will require a constructive revision of the DNSSEC standard.
The launch of KeyTrap raises the question of the need to further improve Internet security standards and highlights the importance of cooperation between the scientific community and the industry in the field of cybersecurity.
The German National Research Center for Applied Cybersecurity ATHENE has discovered a critical vulnerability in the domain name security system (DNSSEC), which can lead to serious consequences for the entire Internet.
A bug hidden in the DNSSEC specification for 24 years allows a single data packet to overload the server, making it inaccessible to users. This discovery may endanger the stability of the Internet, as it affects the basics of the domain name system.
DNSSEC, an extension for the domain name system, is designed to protect against data spoofing by using cryptography. However, the discovered vulnerability, called KeyTrap and designated as CVE-2023-50387, can bypass this protection, causing excessive load on the server processor.
Researchers have discovered that a KeyTrap attack can completely block the operation of public DNS services such as Google and Cloudflare.
The consequences of an attack can be truly devastating, including disrupting access to websites, email, and instant messages. It is estimated that about 31% of Internet customers worldwide use vulnerable DNS resolvers and may be affected by this vulnerability.
The security flaw allows attackers to conduct attacks by forcing DNS resolvers to perform complex calculations, which causes them to stop for a period of several seconds to 16 hours. The attack is based on a specific response from a malicious server that causes processor congestion when attempting DNSSEC validation.
DNS server software developers and major DNS providers have already released patches to address the vulnerability. Google, NLnet Labs and PowerDNS have confirmed the release of updates aimed at preventing KeyTrap exploitation. At the same time, as the researchers noted, the complete elimination of the vulnerability will require a constructive revision of the DNSSEC standard.
The launch of KeyTrap raises the question of the need to further improve Internet security standards and highlights the importance of cooperation between the scientific community and the industry in the field of cybersecurity.
