'KeyTrap' DNS Bug Threatens Widespread Internet Outages

Although it's been sitting there since 2000, researchers were just recently able to suss out a fundamental design flaw in a Domain Name System (DNS) security extension, which under certain circumstances could be exploited to take down wide expanses of the Internet.

DNS servers translate website URLs into IP addresses and, mostly invisibly, carry all Internet traffic.

The team behind the discovery is from ATHENE National Research Center for Applied Cybersecurity in Germany. They named the security vulnerability "KeyTrap," tracked as CVE-2023-50387. According to their new report on the KeyTrap DNS bug, the researchers found that a single packet sent to a DNS server implementation using the DNSSEC extension to validate traffic could force the server into a resolution loop that causes it to consume all of its own computing power and stall. If multiple DNS servers were exploited at the same time with KeyTrap, they could be downed at the same time, resulting in widespread Internet outages, according to the team of academics.

In testing, the length of time the DNS servers remained offline after an attack differed, but the report noted that Bind 9, the most widely deployed DNS implementation, could remain stalled for up to 16 hours.

According to the Internet Systems Consortium (ISC), which oversees DNS servers worldwide, 34% of DNS servers in North America use DNSSEC for authentication and are therefore vulnerable to this flaw.

The good news is that there is no evidence of active exploit so far, according to the report and ISC.

New Class of DNS Cyberattacks

ATHENE added that KeyTrap represents an entirely new class of cyberattacks, which the team named "Algorithmic Complexity Attacks."

The research team spent the past several months working with major DNS service providers, including Google and Cloudflare, to deploy necessary patches before making their work public. The team noted the patches are only a temporary fix and that it is working to revise DNSSEC standards to fully rethink its design.

"The researchers worked with all relevant vendors and major public DNS providers over several months, resulting in a number of vendor-specific patches, the last ones published on Tuesday, Feb. 13," according to the report. "It is highly recommended for all providers of DNS services to apply these patches immediately to mitigate this critical vulnerability."

Fernando Montenegro, Omdia's senior principal analyst for cybersecurity, praises the researchers for disclosing the flaw in close coordination with the vendor ecosystem.

"Kudos to the researchers," Montenegro says. "This was disclosed in coordination with researchers, service providers, and those responsible for creating a patch."

From here, its up to the service providers to find a path toward a permanent fix for affected DNS resolvers, he adds.

"Now the onus shifts to people running DNS servers to get the latest version and patch the vulnerability," Montenegro says.

The ISC does not recommend administrators disable DNSSEC validation on DNS servers, even though it does resolve the issue. For those running the open source DNS implementation Bind 9, the ICS has an update.

The ICS concludes: "We instead strongly advise installing one of the versions of BIND listed below, in which an exceptionally complex DNSSEC validation will no longer impede other server workload."