4 min

Tags in this article

, , , ,

A design flaw in security extensions on the network protocol allows hackers to cut off large parts of the world from the internet. Researchers clarified the danger with the development of a KeyTrap attack that requires only a single DNS packet.

The network protocol contains an easily exploitable, high-risk vulnerability. For at least two decades, the vulnerability has been part of all popular Domain Name Systems (DNS) implementations or services, including Google and Cloudflare. Researchers looked into the risk and successfully developed the KeyTrap attack.

A KeyTrap attack requires hackers to send only one request to accomplish a denial-of-service (DoS) attack. The attack’s impact can be extensive and deny internet access to large parts of the world. This is “The most critical attack on DNS ever discovered,” according to DNS providers.

Design flaw in DNSSEC

The vulnerability is said to be due to a design flaw in DNSSEC. These extensions to DNS are supposed to serve to improve security. The feature checks the source from which an internet request originates and intercepts requests that have been tampered with. DNSSEC is said to have contained the vulnerability since 2012 through the implementation of standards RFC 6781 and RFC 6840. Earlier, it was also part of the internet standard RFC 2535, but this standard from 1999 is obsolete.

According to the researchers, the design flaw does affect all DNS implementations. The system ensures that an internet user can visit the website it is trying to open. It does this by exchanging numeric IP addresses, which are the basis of the internet protocol. However, the internet user sees nothing of this protocol as readable domain names conceal it.

The exchange can be organized by the provider of the website, but in practice, a DNS provider is often paid for this and thus held responsible for a domain name. This is not because of the difficulty of the protocol but because of the idea that this provider will better guard the quality and have better measures against attacks on the website.

KeyTrap attack

KeyTrap is a form of Algorithmic Complexity Attacks. This from attacks computer systems by exploiting inefficient algorithms or processes to overload the system. A common effect of these attacks is a DoS attack, and that is also the case for KeyTrap.

The attack has tremendous power, but it can be brought about by even a small action. One DNS packet is enough for the attacker to exhaust the CPU. To do this, the sent packet increases the number of CPU instructions by two million times.

Another important aspect of a successful DoS attack is the duration of the blocking. This varies greatly in a KeyTrap attack and can range from a minuscule impact of 56 seconds to a major impact of sixteen hours.

Security depents on DNS provider

The researchers, in cooperation with Google and Cloudflare, also developed several patches for the attack. The development took several months because it was not possible to develop just one patch as the vulnerability had to be addressed per DNS service provider. The researchers are asking providers to install these patches.

The demand for this action indicates that the researchers already do not have assurance from every provider that the vulnerability has been fixed. Therefore, it is not guaranteed that hackers will not carry out a successful KeyTrap attack. Google and Cloudflare installed the fixes immediately due to their involvement in the investigation.

However, it is not easy to get the flaw completely out of DNSSEC because it is a standard. “It seems that completely preventing the attacks requires a fundamental rethinking of the underlying design philosophy of DNSSEC.”

Impacts at different levels

The consequences of a KeyTrap attack are mainly noticeable in a shutdown of internet access. The researchers themselves speak of “severe consequences for any application using the Internet, including the unavailability of technologies such as web browsing, e-mail and instant messaging.”

The protocol additionally serves in web applications. According to a recent measurement, 31.47 percent of web clients worldwide use DNSSEC to control internet requests. These web applications will also be affected by a KeyTrap attack.

However, that is only an initial consequence, and the researchers note that the consequences will trickle down to disabling security mechanisms thereafter. These include, for example, disabling measures against spam messages, PKIs and Internet routing.

Discovery by pooling expertise and new knowledge

The discovery of the vulnerability and the development of a KeyTrap attack is the result of a collaboration between researchers from the Athens Research Institute, the University of Frankfurt, Fraunhofer SIT and the Technical University of Darmstadt.

The research proves that even protocols that have been around for a long time are not flawless because of their long existence. This was also apparent with the Log4j vulnerability. But that problem was easier to discover, the researchers argue. Developing an exploit required “a combination of several requirements.” The large scale of the project will have contributed to this, as well as new knowledge about vulnerabilities and increasingly sophisticated tools. That is why the vulnerability has been known for 24 years, but exploitation has remained absent.

Also read: Infoblox SOC Insights brings DNS insights to security teams