DNS Bug Could Crash The Internet

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

1268

Abstract

e contacts in your phone. You don’t have to remember everyone’s phone number as you attach each phone number to a contact, the contact being the human name you remember, it’s essentially the same thing.</p><h2 id="e090">How KeyTrap works</h2><p id="f084">According to a <a href="https://www.presseportal.de/pm/173495/5713546">report from ATHENE</a> national research center in Germany, they found that a single packet sent to a DNS server using DNSSEC (Domain Name System Security Extensions) to validate the packet could be all it takes. This would put the DNS server into a loop, whereby it uses all computing power and doesn’t resolve any internet search. If this were to happen to multiple DNS servers across the internet at the same time, large portions of the internet would be effectively down.</p><p id="9590">They also went on to say that the average time for the internet to remain stalled or downed, using the Bind 9 protocol, which is widely used, could be up to 16 hours.</p><p id="5ff6">The ICS (Internet Systems Consortium), which oversees DNS servers globally states that 34% of DNS servers in North America use the DNSSEC.</p><h2 id="a08e">Algorithmic Complexity Attacks</h2><p id="51fe">The folks at ATHENE went on to state that KeyTrap represents an

Options

entirely new class of cyber-attacks that they’ve named “Algorithmic Complexity Attacks”</p><p id="8771">They have been working with some DNS heavy hitters such as Google and Cloudflare to deploy necessary patches. But they also stated this is only a temporary fix until they can revise the DNSSEC standards.</p><p id="472d" type="7">“The researchers worked with all relevant vendors and major public DNS providers over several months, resulting in a number of vendor-specific patches, the last ones published on Tuesday, Feb. 13,” according to the report. “It is highly recommended for all providers of DNS services to apply these patches immediately to mitigate this critical vulnerability.”</p><h2 id="3079">Closing Thoughts</h2><p id="d5e9">The good news is so far there are no recorded cases of this happening, but it does show that there are bugs in some of the basic and oldest protocols we use.</p><p id="1ba5">There’s very little you or I can do to resolve this, but it’s certainly good to be kept aware of it.</p><p id="2ffb">You might also consider having two different DNS servers setup on your systems when possible. I’m not talking about an in house DNS server, but rather for the end user who can add Google and Verizon for instance.</p></article></body>

DNS Bug, KeyTrap

This 24 year old bug, officially tracked as CVE-2023–50387 has only recently been identified as a bug. According to the good folks over at Dark Reading who say:-

“Fundamental design flaw in a Domain Name System (DNS) security system, which under certain circumstances could be exploited to take down wide expanses of the Internet”

What is a DNS server?

DNS servers translate a human name to an IP address. For instance, if you have a web address, also known as a URL, DNS will resolve (translate) that to the corresponding IP address.

Think of it like contacts in your phone. You don’t have to remember everyone’s phone number as you attach each phone number to a contact, the contact being the human name you remember, it’s essentially the same thing.

How KeyTrap works

According to a report from ATHENE national research center in Germany, they found that a single packet sent to a DNS server using DNSSEC (Domain Name System Security Extensions) to validate the packet could be all it takes. This would put the DNS server into a loop, whereby it uses all computing power and doesn’t resolve any internet search. If this were to happen to multiple DNS servers across the internet at the same time, large portions of the internet would be effectively down.

They also went on to say that the average time for the internet to remain stalled or downed, using the Bind 9 protocol, which is widely used, could be up to 16 hours.

The ICS (Internet Systems Consortium), which oversees DNS servers globally states that 34% of DNS servers in North America use the DNSSEC.

Algorithmic Complexity Attacks

The folks at ATHENE went on to state that KeyTrap represents an entirely new class of cyber-attacks that they’ve named “Algorithmic Complexity Attacks”

They have been working with some DNS heavy hitters such as Google and Cloudflare to deploy necessary patches. But they also stated this is only a temporary fix until they can revise the DNSSEC standards.

“The researchers worked with all relevant vendors and major public DNS providers over several months, resulting in a number of vendor-specific patches, the last ones published on Tuesday, Feb. 13,” according to the report. “It is highly recommended for all providers of DNS services to apply these patches immediately to mitigate this critical vulnerability.”

Closing Thoughts

The good news is so far there are no recorded cases of this happening, but it does show that there are bugs in some of the basic and oldest protocols we use.

There’s very little you or I can do to resolve this, but it’s certainly good to be kept aware of it.

You might also consider having two different DNS servers setup on your systems when possible. I’m not talking about an in house DNS server, but rather for the end user who can add Google and Verizon for instance.