Proposal to add hard numerical limits to the #DNS parameters, in order to limit DoS attacks like #KeyTrap, Infinite or #Tsuname

For instance, max. number of NS records : 13, max. number of DNSSEC keys: 6, max. length of the CNAME chain: 1 (3 for the sissies), etc.

#IETF121

@x_cli

op SIDN.nl: Alle DNS-software en -diensten bleken kwetsbaar voor DoS-aanval -- 25 jaar oude kwetsbaarheid in DNSSEC-ontwerp afgelopen weken gepatcht
https://www.sidn.nl/nieuws-en-blogs/alle-dns-software-en-diensten-bleken-kwetsbaar-voor-dos-aanval

"De kwetsbaarheid met de naam #KeyTrap maakte het mogelijk om vanaf een DNS-server een Denial-of-Service (DoS)-aanval uit te voeren op een validerende resolver. Omdat het een probleem in de specificatie zelf betrof, waren alle veelgebruikte DNS-resolvers en -diensten aangedaan."

#DNSSEC #InternetSecurity

Le 16 février a été publiée la faille de sécurité #DNSSEC #KeyTrap Je sais, c'est un peu tard pour en parler mais c'est quand même utile, non ?

https://www.bortzmeyer.org/keytrap.html

Very good analogy by Edward Lewis on an #IETF mailing list (in the context of #KeyTrap) about the risk of filtering stuff in the name of security: filtering can also clog the system. "I am picturing a screen put over a water spillway, or paper air
filters in an HVAC intake or internal combustion engines." "Filtering will slow flow and may even entirely stop it"

@dad Ah, j'avais prévu d'écrire un article sur #KeyTrap en français mais j'ai eu la flemme. Ceci dit, il n'est pas trop tard.

The research team has now published the technical paper on #KeyTrap:
https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf

ISC has a good summary here:
https://www.isc.org/blogs/2024-bind-security-release/
#DNS #DNSSEC

Si vous ne savez pas quoi lire ce week-end, que vous vous intéressez au #DNS, et que vous n'avez pas encore lu l'article sur #KeyTrap, il est bien. Il faut juste ignorer les phrases du genre « Solving these issues fundamentally requires to
reconsider the basics of the design philosophy of the Internet. » et autres exagérations typiques d'Haya Shulman. https://www.athene-center.de/en/keytrap

(Avant, pensez à mettre à jour vos résolveurs.)

#cybersecurity #cybernews #keytrap
The KeyTrap Denial-of-Service Algorithmic Complexity Attacks On DNS ≈ Packet Storm
https://packetstormsecurity.com/files/177250/Technical_Report_KeyTrap.pdf

#cybersecurity #keytrap #dns #vulnerability #exploit
The "KeyTrap" DNS vulnerability [LWN.net]
https://lwn.net/Articles/962924/

#cybersecurity #keytrap #dns #vulnerability #exploit
'KeyTrap' DNS Bug Threatens Widespread Internet Outages
https://www.darkreading.com/cloud-security/keytrap-dns-bug-threatens-widespread-internet-outages

#cybersecurity #keytrap #dns #vulnerability #exploit
KeyTrap attack: Internet access disrupted with one DNS packet
https://www.bleepingcomputer.com/news/security/keytrap-attack-internet-access-disrupted-with-one-dns-packet/

#KeyTrap attack: Internet access disrupted with one #DNS packet
#cybersecurity #dnssec
https://www.bleepingcomputer.com/news/security/keytrap-attack-internet-access-disrupted-with-one-dns-packet/

Eine #Schwachstelle in der grundlegenden Struktur des Internets wurde von unserem #Forschungszentrum entdeckt. Unsere Expert*innen sind darauf in einem Artikel der #FrankfurterRundschau @FR genauer eingegangen.
Hier finden Sie den Artikel:
https://www.fr.de/rhein-main/darmstadt/forschungszentrum-in-darmstadt-deckt-sicherheitsluecke-auf-hacker-haetten-internet-lahmlegen-koennen-92844483.html
#Keytrap #Sicherheitslücke #Internet #Darmstadt #Frankfurt #Hessen #Forschung #IT #Cybersicherheit #ATHENE

edgerouters (running dnsmasq) still haven't provided update firmware for #keytrap #dnssec #Ubiquiti

Looks like @sans_isc picked up on an exploit for KeyTrap - I haven't tested it yet, and it is explicitly documented as being defanged, but looks legit on the surface:

https://github.com/knqyf263/CVE-2023-50387

Added to my roll-up post.

#keytrap #nsec3 #CVE202350387 #CVE_2023_50387
#dns #dnssec

#KeyTrap attack: Internet access disrupted with one #DNS packet

https://www.bleepingcomputer.com/news/security/keytrap-attack-internet-access-disrupted-with-one-dns-packet/

#DNS-Server: #Bind, #dnsmasq und #Unbound stolpern über Sicherheitslücke "#KeyTrap" | Security https://www.heise.de/news/DNS-Server-Bind-und-Unbound-stolpern-ueber-Sicherheitsluecke-KeyTrap-9627276.html #Patchday #DNSSEC

You may have seen talk of the "#KeyTrap" #DNSSEC vulnerability in the last few days, with patches pushed for e.g., bind, unbound, knot, etc. in a well coordinated effort across the #DNS community and industry.

In a nutshell: you could DoS a validating resolver by causing it to perform excessive expensive signature validations.

The research team has now published the technical paper:
https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf

ISC has a good summary here:
https://www.isc.org/blogs/2024-bind-security-release/

Researchers from the National Research Center for Applied Cybersecurity in Germany have disclosed a critical flaw in the way DNSSEC was designed and dubbed it "KeyTrap".

Essentially, the "KeyTrap" flaw allows an attacker to use a specially crafted DNS packet to cause a denial-of-service on the targeted DNSSEC-validating DNS server.

Since the flaw exists in the DNSSEC standard itself, it affects all major DNS server implementations like BIND9, Unbound, Microsoft DNS and etc. All public resolvers like Google DNS and Cloudflare DNS are also affected.

For more: www.athene-center.de/en/news/press/key-trap & infosec.exchange/@tychotithonus/111924626712765292

#infosec #cybersecurity #dnssec #DNS #KeyTrap #DoS #DenialofService