Just one bad packet can bring down a vulnerable DNS server thanks to DNSSEC
Just one bad packet can bring down a vulnerable DNS server thanks to DNSSEC
'You don't have to do more than that to disconnect an entire network' El Reg told as patches emerge
This is the best summary I could come up with:
A single packet can exhaust the processing capacity of a vulnerable DNS server, effectively disabling the machine, by exploiting a 20-plus-year-old design flaw in the DNSSEC specification.
"Exploitation of this attack would have severe consequences for any application using the Internet including unavailability of technologies such as web-browsing, e-mail, and instant messaging," they claimed.
A non-public technical paper on the vulnerability provided to The Register, titled, "The KeyTrap Denial-of-Service Algorithmic Complexity Attacks on DNS," describes how an assault would be carried out.
The ATHENE boffins said they worked with all relevant vendors and major public DNS providers to privately disclose the vulnerability so a coordinated patch release would be possible.
Dr Haya Shulman, a professor of computer science and one of the academics behind the KeyTrap research, told The Register in a phone interview the attack is simple and can be carried out by encoding it in a zone file.
The ATHENE team observed that while the flaw remained undetected for decades, its obscurity isn't surprising because DNSSEC validation requirements are so complicated.
The original article contains 1,078 words, the summary contains 173 words. Saved 84%. I'm a bot and I'm open source!