Researchers in Germany have identified a major security flaw in the Domain Name System (DNS) security extension that has been present since 2000. The flaw, which they named “KeyTrap,” was discovered by the team at the ATHENE National Research Center for Applied Cybersecurity and could potentially lead to widespread Internet outages.
The flaw in question allows for a single packet sent to a DNS server implementation using the DNSSEC extension to trigger a resolution loop, causing the server to consume all of its computing power and stall. If multiple DNS servers were exploited at the same time with KeyTrap, it could lead to significant outages, according to the academics.
In their report on the KeyTrap DNS bug, the research team noted that in testing, the duration of the outage varied, with the most widely deployed DNS implementation, Bind 9, remaining stalled for up to 16 hours.
The vulnerability affects 34% of DNS servers in North America that use DNSSEC for authentication. However, despite the serious nature of the flaw, there is currently no evidence of active exploitation.
The research team at ATHENE has categorize KeyTrap as a new class of cyberattack, which they have labeled “Algorithmic Complexity Attacks.” They have been working closely with major DNS service providers, including Google and Cloudflare, to deploy patches to address the vulnerability. The team emphasized the importance of applying these patches immediately to mitigate the critical vulnerability.
Commenting on the disclosure of the flaw, Fernando Montenegro, Omdia’s senior principal analyst for cybersecurity, commended the researchers for working in coordination with vendors and service providers to develop patches. He also stressed the need for service providers to find a permanent fix for affected DNS resolvers.
The Internet Systems Consortium (ISC) has cautioned against disabling DNSSEC validation on DNS servers as a solution to the issue, instead recommending the installation of updated versions of DNS software, such as Bind 9, to address the flaw.
Efforts are also underway to revise DNSSEC standards to fully rethink its design, with the goal of preventing similar vulnerabilities from emerging in the future. In the meantime, service providers are urged to take immediate action to ensure the security of their DNS infrastructure.
The identification and disclosure of the KeyTrap DNS flaw highlight the ongoing challenges in securing critical Internet infrastructure and the importance of collaboration between researchers, vendors, and service providers to address and mitigate potential vulnerabilities. Developments in this area will be closely monitored, as the global implications of such security vulnerabilities are significant.