{"id":27084,"date":"2024-02-19T04:23:52","date_gmt":"2024-02-19T09:23:52","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/keytrap-dnssec-vulnerability-dos-attack\/27084\/"},"modified":"2024-02-19T15:24:34","modified_gmt":"2024-02-19T09:54:34","slug":"keytrap-dnssec-vulnerability-dos-attack","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/keytrap-dnssec-vulnerability-dos-attack\/27084\/","title":{"rendered":"KeyTrap: how to break a DNS server with a single packet"},"content":{"rendered":"<p>A group of researchers representing several German universities and institutes have <a href=\"https:\/\/www.theregister.com\/2024\/02\/13\/dnssec_vulnerability_internet\/\" target=\"_blank\" rel=\"nofollow noopener\">discovered<\/a> a vulnerability in DNSSEC, a set of extensions to the DNS protocol designed to improve its security, and primarily to counter DNS spoofing.<\/p>\n<p>An attack they dubbed KeyTrap, which exploits the vulnerability, can disable a DNS server by sending it a single malicious data packet. Read on to find out more about this attack.<\/p>\n<h2>How KeyTrap works and what makes it dangerous<\/h2>\n<p>\nThe DNSSEC vulnerability has only recently become public knowledge, but it was discovered back in December 2023 and registered as <a href=\"https:\/\/kb.isc.org\/docs\/cve-2023-50387\" target=\"_blank\" rel=\"nofollow noopener\">CVE-2023-50387<\/a>. It was assigned a CVSS 3.1 score of 7.5, and a severity rating of \u201cHigh\u201d. Complete information about the vulnerability and the attack associated with it is yet to be published.<\/p>\n<p>Here\u2019s how KeyTrap works. The malicious actor sets up a nameserver that responds to requests from <a href=\"https:\/\/en.wikipedia.org\/wiki\/Name_server\" target=\"_blank\" rel=\"nofollow noopener\">caching<\/a> DNS servers \u2013 that is, those which serve client requests directly \u2013 with a malicious packet. Next, the attacker has the caching-server request a DNS record from their malicious nameserver. The record sent in response is a cryptographically-signed malicious one. The way the signature is crafted causes the attacked DNS server trying to verify it to run at full CPU capacity for a long period of time.<\/p>\n<p>According to the researchers, a single such malicious packet can freeze the DNS server for anywhere from 170 seconds to 16 hours \u2013 depending on the software it runs on. The KeyTrap attack can not only deny access to web content to all clients using the targeted DNS server, but also disrupt various infrastructural services such as spam protection, digital certificate management (PKI), and secure cross-domain routing (RPKI).<\/p>\n<p>The researchers refer to KeyTrap as \u201cthe worst attack on DNS ever discovered\u201d. Interestingly enough, the flaws in the signature validation logic making KeyTrap possible were discovered in one of the <a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc2535\" target=\"_blank\" rel=\"nofollow noopener\">earliest<\/a> versions of the DNSSEC specification, published as far back as\u2026 1999. In other words, the vulnerability is about to turn 25!<\/p>\n<div id=\"attachment_50596\" style=\"width: 1522px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/36\/2024\/02\/19145417\/keytrap-dnssec-vulnerability-dos-attack-1.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-50596\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/36\/2024\/02\/19145417\/keytrap-dnssec-vulnerability-dos-attack-1.png\" alt=\"CVE-2023-50387 has been present in the DNSSEC specification since 1999 \" width=\"1512\" height=\"792\" class=\"size-full wp-image-50596\"><\/a><p id=\"caption-attachment-50596\" class=\"wp-caption-text\">The origins of KeyTrap can be traced back to RFC-2035, the DNSSEC specification published in 1999<\/p><\/div>\n<h2>Fending off KeyTrap<\/h2>\n<p>\nThe researchers have alerted all DNS server software developers and major public DNS providers. Updates and security advisories to fix CVE-2023-50387 are now available for <a href=\"https:\/\/doc.powerdns.com\/recursor\/security-advisories\/powerdns-advisory-2024-01.html\" target=\"_blank\" rel=\"nofollow noopener\">PowerDNS<\/a>, <a href=\"https:\/\/nlnetlabs.nl\/projects\/unbound\/security-advisories\/\" target=\"_blank\" rel=\"nofollow noopener\">NLnet Labs Unbound<\/a>, and <a href=\"https:\/\/www.isc.org\/blogs\/2024-bind-security-release\/\" target=\"_blank\" rel=\"nofollow noopener\">Internet Systems Consortium BIND9<\/a>. If you are an administrator of a DNS server, it\u2019s high time to install the updates.<\/p>\n<p>Bear in mind, though, that the DNSSEC logic issues that have made KeyTrap possible are fundamental in nature and not easily fixed. Patches released by DNS software developers can only go some way toward solving the problem, as the vulnerability is part of standard, rather than specific implementations. \u201cIf we launch [KeyTrap] against a patched resolver, we still get 100 percent CPU usage but it can still respond,\u201d said one of the researchers.<\/p>\n<p>Practical exploitation of the flaw remains a possibility, with the potential result being unpredictable resolver failures. In case this happens, corporate network administrators would do well to prepare a list of backup DNS servers in advance so they can switch as needed to keep the network functioning normally and let users browse the web resources they need unimpeded.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial\">\n","protected":false},"excerpt":{"rendered":"<p>The KeyTrap DoS attack, which can disable DNS servers with a single malicious packet exploiting a vulnerability in DNSSEC.<\/p>\n","protected":false},"author":2726,"featured_media":27087,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2036,2610,2196],"tags":[2052,569,1115,1941,2594,261,1103,527,268],"class_list":{"0":"post-27084","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"category-threats","10":"tag-business","11":"tag-cryptography","12":"tag-ddos","13":"tag-dns","14":"tag-dos","15":"tag-encryption","16":"tag-risks","17":"tag-threats","18":"tag-vulnerabilities"},"hreflang":[{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/keytrap-dnssec-vulnerability-dos-attack\/27084\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/keytrap-dnssec-vulnerability-dos-attack\/22394\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/keytrap-dnssec-vulnerability-dos-attack\/29751\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/keytrap-dnssec-vulnerability-dos-attack\/27260\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/keytrap-dnssec-vulnerability-dos-attack\/27038\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/keytrap-dnssec-vulnerability-dos-attack\/29657\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/keytrap-dnssec-vulnerability-dos-attack\/28536\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/keytrap-dnssec-vulnerability-dos-attack\/36997\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/keytrap-dnssec-vulnerability-dos-attack\/50594\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/keytrap-dnssec-vulnerability-dos-attack\/21535\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/keytrap-dnssec-vulnerability-dos-attack\/22243\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/keytrap-dnssec-vulnerability-dos-attack\/30902\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/keytrap-dnssec-vulnerability-dos-attack\/35818\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/keytrap-dnssec-vulnerability-dos-attack\/27459\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/keytrap-dnssec-vulnerability-dos-attack\/33266\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/keytrap-dnssec-vulnerability-dos-attack\/32890\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.in\/blog\/tag\/vulnerabilities\/","name":"vulnerabilities"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/27084","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/comments?post=27084"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/27084\/revisions"}],"predecessor-version":[{"id":27089,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/27084\/revisions\/27089"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media\/27087"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media?parent=27084"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/categories?post=27084"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/tags?post=27084"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}