How the Internet Dodged a Bullet: The KeyTrap Denial-of-Service Attacks against DNSSEC

Описание: The Internet relies on the Domain Name System (DNS) for a plethora of its uses, including web browsing, TLS certificates, and email. DNS is critical for today's Internet, so DNSSEC was standardized as one of the first security extensions to any Internet protocol. Until today, DNSSEC has been deployed in about one third of systems.
In this talk we present a new class of devastating attacks on DNSSEC, named KeyTrap, that allow for a comprehensive and continuous DoS of any DNSSEC-validating DNS resolver. The vulnerabilities stem directly from requirements in the DNSSEC standard and we find all DNSSEC-validating resolvers vulnerable. The KeyTrap attacks exploit algorithmic complexity, e.g., in validating signatures against DNSSEC keys, to stall any resolver and DoS its services for all its clients. A single 100 Bytes DNS request can cause a resolver to cease responding for between two minutes and 16 hours, depending on the implementation. With KeyTrap, an attacker could have disrupted service for a large part of global Internet users, which is why leading developers of DNS software referred to KeyTrap as "The worst attack on DNS ever discovered". Exploitation can be achieved from remote and with very low attack traffic volume, making the attack easy to set up, conduct, and keep secretive.
In this talk we show the design of KeyTrap and illustrate its severe impact on DNSSEC-validating resolvers. We give insights into the month-long confidential disclosure process with developers and operators from the industry, including ISC, NLnet Labs, Google, Cloudflare, and Akamai. Finally, we show the arduous process of patching a vulnerability that stems directly from multiple requirements in the Internet standard, illustrating the challenges of creating stable and secure software that intentionally disobeys RFC requirements.

By:
Elias Heftrig | PhD Student, Goethe-Universität Frankfurt, ATHENE
Niklas Vogel | PhD Student, Goethe-Universität Frankfurt, ATHENE
Haya Schulmann | Professor, Goethe-Universität Frankfurt, ATHENE
Michael Waidner | Professor, TU Darmstadt, Fraunhofer SIT, ATHENE

Full Abstract and Presentation Materials:
https://www.blackhat.com/eu-24/briefi...