Tuesday, February 20, 2024

Security is hard

This is bad.  Really bad

A single packet can exhaust the processing capacity of a vulnerable DNS server, effectively disabling the machine, by exploiting a 20-plus-year-old design flaw in the DNSSEC specification.

That would make it trivial to take down a DNSSEC-validating DNS resolver that has yet to be patched, upsetting all the clients relying on that service and make it seem as though websites and apps were offline.

The academics who found this flaw – associated with the German National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt – claimed DNS server software makers briefed about the vulnerability described it as "the worst attack on DNS ever discovered."

What's bad is that you don't get more mission critical than DNS - Domain Name Service, the service that translates names (like borepatch.blogspot.com) into Internet addresses (like 192.1.7.200).  No DNS, no Internet.

If you run a DNS or DNSSEC server look at this ASAP.

3 comments:

Francis Turner said...

Two things to note

1. it is very hard to exploit. I'm on some mailing lists and even DNSSEC experts are struggling to come up with an easy way to generate the required hash collisions. There is a POC out about it but I've only seen one
2. patching is fairly easy and if you disable DNSSEC (which is reasonable for quite a few stub resolvers) then the problem goes away for that server if not its upstream

Complexity is almost certainly one reason why this has been sitting around for 30 years without anyone figuring it out.

danielbarger said...

There will always be critical vulnerabilities in the web and it's related hardware. The real mistake is in making your life, job, finances 100% dependant on the Internet.
Do so at your own risk.

Richard said...

@danielbarger

Just wait until we have mandatory CBDC.