One Bad Packet Can Bring Down Vulnerable DNS Due to DNSSEC
DannyB writes:
Just one bad packet can bring down a vulnerable DNS server thanks to DNSSEC
'You don't have to do more than that to disconnect an entire network' El Reg told as patches emerge
A single packet can exhaust the processing capacity of a vulnerable DNS server, effectively disabling the machine, by exploiting a 20-plus-year-old design flaw in the DNSSEC specification.
That would make it trivial to take down a DNSSEC-validating DNS resolver that has yet to be patched, upsetting all the clients relying on that service and make it seem as though websites and apps were offline.
The academics who found this flaw - associated with the German National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt - claimed DNS server software makers briefed about the vulnerability described it as "the worst attack on DNS ever discovered."
[....] The researchers said lone DNS packets exploiting KeyTrap could stall public DNSSEC-validated DNS services, such as those provided by Google and Cloudflare, by making them do calculations that overtax server CPU cores.
This disruption of DNS could not only deny people's access to content but could also interfere with other systems, including spam defenses, cryptographic defenses (PKI), and inter-domain routing security (RPKI), the researchers assert.
"Exploitation of this attack would have severe consequences for any application using the Internet including unavailability of technologies such as web-browsing, e-mail, and instant messaging," they claimed. "With KeyTrap, an attacker could completely disable large parts of the worldwide internet."
I thought overtaxed CPU cores were the domain of cryptocurrency and large language models.
Read more of this story at SoylentNews.