KeyTrap attack: Internet access disrupted with one DNS packet

A serious vulnerability named KeyTrap in the Domain Name System Security Extensions feature could be exploited to deny internet access to applications for an extended period.
Tracked as CVE-2023-50387, KeyTrap is a design issue in DNSSEC and impacts all popular Domain Name System implementations or services.
It allows a remote attacker to cause a long lasting denial-of-service condition in vulnerable resolvers by sending a single DNS packet.
DNS is what allows us humans to access online locations by typing in domain names instead of the server's IP address our computer needs to connect to.
DNSSEC is a feature of the DNS that brings cryptographic signatures to DNS records, thus providing authentication to responses; this verification ensures that DNS data comes from the source, its authoritative name server, and has not been modified on the way to route you to a malicious location.
KeyTrap has been present in the DNSSEC standard well over two decades, and was discovered by researchers from the National Research Center for Applied Cybersecurity ATHENE, alongside experts from Goethe University Frankfurt, Fraunhofer SIT, and the Technical University of Darmstadt.
By taking advantage of this vulnerability, the researchers developed a new class of DNSSEC-based algorithmic complexity attacks that can increase by 2 million times the CPU instruction count in a DNS resolver, thus delaying its response.
The duration of this DoS state depends on the resolver implementation but the researchers say a single attack request can hold the response from 56 seconds to as much as 16 hours.
Complete details about the vulnerability and how it can manifest on modern DNS implementations can be found in a technical report published earlier this week.
The researchers have demonstrated how their KeyTrap attack can impact DNS service providers, such as Google and Cloudflare, since early November 2023 and worked with them to develop mitigations.
ATHENE says KeyTrap has been present in widely used standards since 1999, so it went unnoticed for nearly 25 years, primarily because of the complexity of the DNSSEC validation requirements.
Though impacted vendors have already pushed fixes or are in the process of mitigating the KeyTrap risk, ATHENE states that addressing the issue at a fundamental level may require a reevaluation of the DNSSEC design philosophy.
In response to the KeyTrap threat, Akamai developed and deployed, between December 2023 and February 2024, mitigations for its DNSi recursive resolvers, including CacheServe and AnswerX, as well as its cloud and managed solutions.
This security gap could have allowed attackers to cause major disruption to the functioning of the internet, exposing one-third of DNS servers worldwide to a highly efficient denial-of-service attack and potentially impacting more than one billion users.
Akamai notes that based on APNIC data, approximately 35% of U.S.-based and 30% of internet users worldwide rely on DNS resolvers that use DNSSEC validation and are vulnerable to KeyTrap.
Although the internet company didn't share many details about the actual mitigations it implemented, ATHENE's paper describes Akamai's solution as limiting the cryptographic failures to a maximum of 32, making it practically impossible to exhaust CPU resources and cause stalling.
Fixes are already present in DNS services from Google and Cloudflare.
ExpressVPN bug has been leaking some DNS requests for years.
Over 178K SonicWall firewalls vulnerable to DoS, potential RCE attacks.
'Wall of Flippers' detects Flipper Zero Bluetooth spam attacks.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 19 Feb 2024 00:59:05 +0000


Cyber News related to KeyTrap attack: Internet access disrupted with one DNS packet

How to Prevent DNS Attacks: DNS Security Best Practices - To protect against attack, best practices must be applied to protect the DNS protocol, the server on which the DNS protocol runs, and all access to the DNS processes. Implementing these best practices will not only protect DNS but also network ...
1 year ago Esecurityplanet.com
KeyTrap attack: Internet access disrupted with one DNS packet - A serious vulnerability named KeyTrap in the Domain Name System Security Extensions feature could be exploited to deny internet access to applications for an extended period. Tracked as CVE-2023-50387, KeyTrap is a design issue in DNSSEC and impacts ...
10 months ago Bleepingcomputer.com
DNSSEC vulnerability puts big chunk of the internet at risk The Register - A 20-plus-year-old security vulnerability in the design of DNSSEC could allow a single DNS packet to exhaust the processing capacity of any server offering the system for domain-name resolution, effectively disabling the machine. Yes, a single DNS ...
10 months ago Go.theregister.com
'KeyTrap' DNS Bug Threatens Widespread Internet Outages - Although it's been sitting there since 2000, researchers were just recently able to suss out a fundamental design flaw in a Domain Name System security extension, which under certain circumstances could be exploited to take down wide expanses of the ...
10 months ago Darkreading.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
DNS Tunneling Abuse Expands to Tracking & Scanning Victims - Attackers are taking malicious manipulation of DNS traffic to the next level, abusing DNS tunneling to scan a victim's network infrastructure as well as track victims' online behavior. Researchers from Palo Alto Networks' Unit 42 have identified ...
7 months ago Darkreading.com
Understanding DNS Zones: A Comprehensive Guide - DNS stands for Domain Name System, and it is one of the most important components of the Internet. It is a network of servers that coordinates the registration, updating and resolution of domain names, so that users can easily access websites and ...
1 year ago Heimdalsecurity.com
What Is Packet Filtering? Definition, Advantages & How It Works - Packet filtering is a firewall feature that allows or drops data packets based on simple, pre-defined rules regarding IP addresses, ports, or protocols. Each data packet consists of three components: a header to provide information about the data ...
10 months ago Esecurityplanet.com
Hackers use DNS tunneling for network scanning, tracking victims - Threat actors are using Domain Name System tunneling to track when their targets open phishing emails and click on malicious links, and to scan networks for potential vulnerabilities. DNS tunneling is the encoding of data or commands that are sent ...
7 months ago Bleepingcomputer.com
Attacks abuse Microsoft DHCP to spoof DNS records The Register - A series of attacks against Microsoft Active Directory domains could allow miscreants to spoof DNS records, compromise Active Directory and steal all the secrets it stores, according to Akamai security researchers. We're told the attacks - which are ...
1 year ago Go.theregister.com
47 Years Later: Serious Security – How Deliberate Typos Might Improve DNS Security - The Domain Name System (DNS) is an internet infrastructure that has been around since the early 80s and still plays an integral part in how websites and online services are accessed. Although it has been in use for almost 47 years, security issues of ...
1 year ago Nakedsecurity.sophos.com
Microsoft tests Windows 11 encrypted DNS server auto-discovery - Microsoft is testing support for the Discovery of Network-designated Resolvers internet standard, which enables automated client-side discovery of encrypted DNS servers on local area networks. Without DNR support, users must manually enter the info ...
1 year ago Bleepingcomputer.com
Attack Vector vs Attack Surface: The Subtle Difference - Cybersecurity discussions about "Attack vectors" and "Attack surfaces" sometimes use these two terms interchangeably. This article guides you through the distinctions between attack vectors and attack surfaces to help you better understand the two ...
1 year ago Trendmicro.com
SANS Internet Storm Center - A DNS suffix is a configuration of the Windows DNS client to have it append suffixes when doing domain lookups. If a DNS suffix local is configured, then Windows' DNS client will not only do a DNS lookup for example.com, but also for example.com. ...
7 months ago Isc.sans.edu
Researchers Uncovered an Active Directory DNS spoofing exploit - In the intricate web of our interconnected world, the Domain Name System stands as a linchpin, directing users to their online destinations. Even this vital system is not impervious to the dark art of malicious manipulation. In a recent revelation by ...
1 year ago Gbhackers.com
Ransomware disrupts utilities, infrastructure in January - Ransomware disrupted important U.S.-based utilities and services organizations in January, including a municipal water treatment organization, which is a sector that's become a growing target for attackers. The persistent ransomware threat continued ...
10 months ago Techtarget.com
Cybersecurity Firm Hacks Itself, Finds DNS Flaw Leak AWS Credentials - Intruder.io, a London, England-based cybersecurity firm, conducted a self-hack using a DNS rebinding attack, enabling them to extract low-privileged AWS credentials. Cybersecurity firm Intruder has published blog posts explaining how they got hacked ...
1 year ago Hackread.com
Marriott Leads the Way to Protect Children Online - Read how Marriott has rapidly deployed Cisco DNS-layer security across nearly 5,000 properties to advance human rights. For over 96 years, Marriott International, the world's largest hospitality company, has been Putting People First. Grounded in its ...
9 months ago Umbrella.cisco.com
ExpressVPN bug has been leaking some DNS requests for years - ExpressVPN has removed the split tunneling feature from the latest version of its software after finding that a bug exposed the domains users were visiting to configured DNS servers. The bug was introduced in ExpressVPN Windows versions 12.23.1 - ...
10 months ago Bleepingcomputer.com
Access to Internet Infrastructure is Essential, in Wartime and Peacetime - We've been saying it for 20 years, and it remains true now more than ever: the internet is an essential service. It enables people to build and create communities, shed light on injustices, and acquire vital knowledge that might not otherwise be ...
9 months ago Eff.org
AWS LetsEncrypt Lambda: Custom TLS Provider - DZone - Trying to renew ... INFO[0000] Checking certificate for domain 'hackernoon.referrs.me' with arn 'arn:aws:acm:us-east-2:004867756392:certificate/72f872fd-e577-43f4-ae38-6833962630af' INFO[0000] Certificate status is 'ISSUED' INFO[0000] Certificate in ...
2 months ago Feeds.dzone.com
Understanding a SYN Flood and How to Guard Your Server Against It - SYN Flood is a type of denial-of-service attack in which a malicious actor sends a large number of requests to a server, but does not acknowledge the connection, leaving it half-open. This is usually done with the intention of consuming server ...
1 year ago Heimdalsecurity.com
SBU Cybersecurity Chief Exposes Persistent Hacker Presence in Kyivstar - An attack on Kyivstar, a telco company that has some 24 million users in Ukraine, appears to have been carried out by Russia's Sandworm crew last month. Approximately 24 million users' services were disrupted for a period of several days beginning on ...
11 months ago Cysecurity.news
Centripetal Expands Portfolio with DNS Offering - Centripetal, the global leader in intelligence powered cybersecurity, today announced that it is expanding its offering to include CleanINTERNET® DNS to pre-emptively safeguard businesses against web-based cyber threats. Unlike other DNS filtering ...
6 months ago Itsecurityguru.org
Ukrainian hackers disrupt internet providers in Russia-occupied territories - Ukrainian hackers have temporarily disabled internet services in parts of the country's territories that have been occupied by Russia. The group of cyber activists known as the IT Army said on Telegram that their distributed denial-of-service attack ...
1 year ago Therecord.media

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)