The KeyTrap Denial-of-Service Algorithmic Complexity Attacks On DNS ≈ Packet Storm

The KeyTrap Denial-of-Service Algorithmic Complexity Attacks On DNS^[6]

Authored by Niklas Vogel^[7], Haya Schulmann^[8], Michael Waidner^[9], Elias Heftrig^[10] | Site athene-center.de^[11]

In this paper, the authors show that the design of DNSSEC is flawed. Exploiting vulnerable recommendations in the DNSSEC standards, they developed a new class of DNSSEC-based algorithmic complexity attacks on DNS, they dubbed KeyTrap attacks. All popular DNS implementations and services are vulnerable. With just a single DNS packet, the KeyTrap attacks lead to a 2.000.000x spike in CPU instruction count in vulnerable DNS resolvers, stalling some for as long as 16 hours. This devastating effect prompted major DNS vendors to refer to KeyTrap as "the worst attack on DNS ever discovered". Exploiting KeyTrap, an attacker could effectively disable Internet access in any system utilizing a DNSSEC-validating resolver.

SHA-256 | 4c1743e665520f276be83b47e7a1ae86496ca84f1935e9197aa5b5736fc57eb4

Download^[12] | Favorite^[13] | View^[14]

Login^[15] or Register^[16] to add favorites