This is bad. Really bad:
A single packet can exhaust the processing capacity of a vulnerable DNS server, effectively disabling the machine, by exploiting a 20-plus-year-old design flaw in the DNSSEC specification.
That would make it trivial to take down a DNSSEC-validating DNS resolver that has yet to be patched, upsetting all the clients relying on that service and make it seem as though websites and apps were offline.
The academics who found this flaw – associated with the German National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt – claimed DNS server software makers briefed about the vulnerability described it as "the worst attack on DNS ever discovered."
What's bad is that you don't get more mission critical than DNS - Domain Name Service, the service that translates names (like borepatch.blogspot.com) into Internet addresses (like 192.1.7.200). No DNS, no Internet.
If you run a DNS or DNSSEC server look at this ASAP.
Two things to note
ReplyDelete1. it is very hard to exploit. I'm on some mailing lists and even DNSSEC experts are struggling to come up with an easy way to generate the required hash collisions. There is a POC out about it but I've only seen one
2. patching is fairly easy and if you disable DNSSEC (which is reasonable for quite a few stub resolvers) then the problem goes away for that server if not its upstream
Complexity is almost certainly one reason why this has been sitting around for 30 years without anyone figuring it out.
There will always be critical vulnerabilities in the web and it's related hardware. The real mistake is in making your life, job, finances 100% dependant on the Internet.
ReplyDeleteDo so at your own risk.
@danielbarger
ReplyDeleteJust wait until we have mandatory CBDC.