Technology

“With KeyTrap, an attacker could completely disable large parts of the worldwide Internet” — this deceptively simple cyberattack could spell doom for apps everywhere

February 20, 2024

Security researchers have discovered a major flaw in the DNS system that could “completely disable” large parts of the worldwide Internet for extended periods of time.

Cybersecurity researchers from the National Research Center for Applied Cybersecurity ATHENE, Goethe University Frankfurt, Fraunhofer SIT, and the Technical University of Darmstadt, recently found a flaw in the Domain Name System Security Extension (DNSSEC), a security protocol that adds an additional protection layer to the Domain Name System (DNS).

With DNSSEC, DNS records get a digital signature that confirms they weren’t changed, or forged, in transit.

Fixes available

The flaw, tracked as CVE-2023-50387, was named KeyTrap, and in short – allows threat actors to mount long-lasting denial-of-service (DoS) attacks against various internet applications and programs. “Exploitation of this attack would have severe consequences for any application using the Internet, including unavailability of technologies such as web-browsing, e-mail, and instant messaging,” ATHENE said in an advisory. “With KeyTrap, an attacker could completely disable large parts of the worldwide Internet,” the researchers warned.

A patch was already developed and is being deployed at press time.

Akamai’s figures show that almost a third of all internet users are susceptible to KeyTrap, BleepingComputer reported.

The vulnerability, they further explained, was present in DNSSEC for more than two decades, but was never discovered or exploited due to the complexity of the DNSSEC validation requirements. The attacks would result in the denial of service lasting anywhere between a minute and 16 hours.

In early November 2023, the researchers demonstrated their findings to Google and Cloudflare, with whom they’ve been working on mitigations, ever since. Now, Akamai already released mitigations for its DNSi recursive resolvers, and both Google and Cloudflare deployed their patches, as well.

While having the issue fixed is good news, the researchers stress that in order to be safe from future similar threats, the entire DNSSEC design philosophy should be reevaluated.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar