“KeyTrap allows an attacker to completely disable large parts of the global internet” – this deceptively simple cyber attack could spell doom for apps around the world
Security researchers have discovered a major flaw in the DNS system that could “completely disable” large parts of the global Internet for extended periods of time.
Cybersecurity researchers from the National Research Center for Applied Cybersecurity ATHENS, Goethe University Frankfurt, Fraunhofer SIT and the Technical University of Darmstadt recently found a flaw in the Domain Name System Security Extension (DNSSEC), a security protocol that adds an extra layer of protection to the Domain Name System (DNS).
With DNSSEC, DNS records are given a digital signature that confirms they have not been altered or forged in transit.
Solutions available
The flaw, tracked as CVE-2023-50387, has been named KeyTrap and allows threat actors to conduct sustained denial-of-service (DoS) attacks against various Internet applications and programs. “Exploiting this attack would have serious consequences for any application that uses the Internet, including the unavailability of technologies such as web browsing, email and instant messaging,” ATHENE said in an advisory. “KeyTrap could allow an attacker to completely disable large parts of the global Internet,” the researchers warned.
A patch has already been developed and is being deployed at the time of writing.
Figures from Akamai show that almost a third of all internet users are sensitive to KeyTrap, BleepingComputer reported.
The vulnerability, they further explained, had been present in DNSSEC for more than two decades, but was never discovered or exploited due to the complexity of DNSSEC validation requirements. The attacks would result in a denial of service that would last anywhere from a minute to 16 hours.
In early November 2023, the researchers demonstrated their findings to Google and Cloudflare, with whom they have been working on solutions ever since. Now Akamai has already released fixes for its recursive DNSi resolvers, and both Google and Cloudflare have deployed their patches as well.
While it’s good news that the problem has been resolved, the researchers emphasize that to be secure against future similar threats, the entire DNSSEC design philosophy needs to be reevaluated.