Can a DNS packet really prevent access to the Internet? What is KeyTrap

Can a DNS packet really prevent access to the Internet?  What is KeyTrap

Il DNS (Domain Name System) it is the mechanism that allows domain name resolution: it transforms a mnemonic address into the correct public IP address that corresponds to the remote server to reach. The functioning of DNS servers is based on a hierarchical approach and the use of record (tables) containing the correct correspondence between mnemonic addresses (for example o e IP).

How DNSSEC makes domain name resolution more secure

With the addition of DNSSEC (Domain Name System Security Extensions), DNS aims to become more secure. Thanks to the use of cryptographic signatures, DNSSEC enriches DNS with the authentication of the responses obtained. In this way, each system can ensure that the DNS data comes from the entitled source and, upstream, from the correct authoritative server. It is therefore not possible for the data to be modified along the way to direct users to a malicious site.

The goal of cyber criminals is in fact to ensure that by typing, for example, the URL of a legitimate page (think of an online banking service), your browser does not reach the correct IP address but rather another Public IP on which a web server operated by the attacker is running. The victim is thus led to believe that he is on the site he requested (for example by introducing personal credentials and other confidential data), when in reality what is displayed is simply a copy created by the attacker.

KeyTrap: A single packet could block access to a large number of servers

A group of researchers seeking the National Research Center for Applied Cybersecurity ATHENE, together with experts from the Goethe University of Frankfurt, Fraunhofer SIT and the Technical University of Darmstadt, have announced that they have discovered a serious security flaw in the DNSSEC standard, which has been present for two decades.

Classified with the identifier CVE-2023-50387 and named KeyTrap, the security issue affects all DNSSEC implementations, at any level. In the absence of security patches, currently being distributed (and in some cases already applied on the DNS server side), an attacker can send a single packet to cause a DoS attack (Denial of Service) persistent. The server DNS vulnerabile stops responding to domain name resolution requests and users can no longer reach the specified destinations.

The researchers explain that the issue in question has to do with the DNSSEC requirement to send all cryptographic keys for each of the supported ciphers together with the corresponding signatures, used for validation activities. An attacker can take advantage of a gap in the DNSSEC implementation to increase the CPU time required to resolve the DNS request by 2 million times. Hugely increasing response generation time and causing a DoS situation.

What may be the consequences of the new attack on DNS servers

Don’t think that an attack like the one described could result in failure reachability of a handful of Web sites. As the experts of the ATHENE team confirm, i resolver DNS they are not only used on the Web, which is one of the many services that can be used on the Internet. A possible attack could affect any platform that uses mnemonic addresses, such as systems instant messagingemail and so on.

And if the vulnerable DNS server were used by a large number of users, an attack could effectively block access to large portions of the rete Internet worldwide. The following table shows the DNS implementations considered vulnerable (they are highlighted with a solid dot).

DNS Vulnerability DNSSEC: KeyTrap

Not everyone has applied the corrective patches on their DNS servers

Google e Cloudflare, also affected by the security issue on their respective DNS servers, say they have already applied the corrective patches. Any large-scale attack is thus averted.

KeyTrap, however, is not a threat to be taken lightly. In response to the recent discovery, Akamai for example, it developed and implemented, between December 2023 and February 2024, mitigation measures for its resolver recursive DNSi, including CacheServe e AnswerX, as well as for its cloud and managed solutions. ATHENE researchers say that addressing the KeyTrap problem at the lowest level may even require a reevaluation of DNSSEC’s design philosophy. An intervention therefore much more complex and radical than what has been done to date.

Akamai spokespersons note that, based on their data, approximately 35% of US users and 30% of Internet users worldwide rely on DNS resolvers that use DNSSEC validation and are therefore vulnerable to KeyTrap . “Many software and DNS service providers have already published security advisories and released effective patches; We invite all users to check the presence of these updates with their suppliers. Thanks to community collaboration, what could have been a malicious exploit has already been mitigated“, Akamai further observes in a statement on the company’s official website.

Opening image credit: – J.L.Gutierrez

Leave a Reply

Your email address will not be published. Required fields are marked *