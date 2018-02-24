from the its-DNSSEC-not-DNSSEX dept.
Just one bad packet can bring down a vulnerable DNS server thanks to DNSSEC
'You don't have to do more than that to disconnect an entire network' El Reg told as patches emerge
A single packet can exhaust the processing capacity of a vulnerable DNS server, effectively disabling the machine, by exploiting a 20-plus-year-old design flaw in the DNSSEC specification.
That would make it trivial to take down a DNSSEC-validating DNS resolver that has yet to be patched, upsetting all the clients relying on that service and make it seem as though websites and apps were offline.
The academics who found this flaw – associated with the German National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt – claimed DNS server software makers briefed about the vulnerability described it as "the worst attack on DNS ever discovered."
[....] The researchers said lone DNS packets exploiting KeyTrap could stall public DNSSEC-validated DNS services, such as those provided by Google and Cloudflare, by making them do calculations that overtax server CPU cores.
This disruption of DNS could not only deny people's access to content but could also interfere with other systems, including spam defenses, cryptographic defenses (PKI), and inter-domain routing security (RPKI), the researchers assert.
"Exploitation of this attack would have severe consequences for any application using the Internet including unavailability of technologies such as web-browsing, e-mail, and instant messaging," they claimed. "With KeyTrap, an attacker could completely disable large parts of the worldwide internet."
I thought overtaxed CPU cores were the domain of cryptocurrency and large language models.
(Score: 3, Interesting) by VLM on Tuesday February 20, @03:58PM
Last time I messed around with dnssec a single bad MTU setting could knock it out also. It was something like "sure limit UDP port 53 packets to 512 bytes, and why not limit TCP packets too?" Don't forget a dose of wanna be security dweebs declaring all ICMP packets are only useful for hacking, including those pesky don't fragment packets that security guys don't understand. I may recall slightly inaccurate.
With DNS hijacking you need to run DoH anyway or your ISP will block all your DNSSEC traffic anyway.
(Score: 3, Funny) by DannyB on Tuesday February 20, @04:01PM
One of the biggest technical problems of IPv6 making it difficult to filter malicious network traffic is the lack of an Evil Bit. [ietf.org]
If you have one of those computers that makes it difficult to get work done, use Hyper-V to install Linux.