{"id":6229,"date":"2024-02-28T09:07:23","date_gmt":"2024-02-28T08:07:23","guid":{"rendered":"https:\/\/sajberinfo.com\/?p=6229"},"modified":"2024-02-28T09:07:23","modified_gmt":"2024-02-28T08:07:23","slug":"keytrap-napad-jedan-dns-paket-blokira-internet","status":"publish","type":"post","link":"https:\/\/sajberinfo.com\/en\/2024\/02\/28\/keytrap-napad-jedan-dns-paket-blokira-internet\/","title":{"rendered":"KeyTrap napad: Jedan DNS paket blokira Internet"},"content":{"rendered":"<p><span style=\"font-size: 14pt;\"><a href=\"https:\/\/www.athene-center.de\/en\/news\/press\/key-trap\" target=\"_blank\" rel=\"noopener\">Sigurnosni istra\u017eiva\u010di su otkrili ozbiljnu ranjivost<\/a> koja je nazvana <em>KeyTrap<\/em> u funkciji pro\u0161irenja bezbjednosti sistema imena domena (eng. <em>Domain Name System Security Extensions \u2013 DNSSEC<\/em>) koja bi mogla da se iskoristi za uskra\u0107ivanje pristupa Internetu aplikacijama na du\u017ei period.<\/span><\/p>\n<div id=\"attachment_6230\" style=\"width: 1034px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-6230\" class=\"size-full wp-image-6230\" src=\"https:\/\/sajberinfo.com\/wp-content\/uploads\/2024\/02\/KeyTrap-attack.jpg\" alt=\"KeyTrap\" width=\"1024\" height=\"1024\" srcset=\"https:\/\/sajberinfo.com\/wp-content\/uploads\/2024\/02\/KeyTrap-attack.jpg 1024w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2024\/02\/KeyTrap-attack-300x300.jpg 300w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2024\/02\/KeyTrap-attack-150x150.jpg 150w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2024\/02\/KeyTrap-attack-768x768.jpg 768w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2024\/02\/KeyTrap-attack-12x12.jpg 12w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2024\/02\/KeyTrap-attack-80x80.jpg 80w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2024\/02\/KeyTrap-attack-320x320.jpg 320w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><p id=\"caption-attachment-6230\" class=\"wp-caption-text\"><em>KeyTrap napad: Jedan DNS paket blokira Internet; Source: Bing Image Creator<\/em><\/p><\/div>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Sadr\u017eaj<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ffffff;color:#ffffff\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewbox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ffffff;color:#ffffff\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewbox=\"0 0 24 24\" version=\"1.2\" baseprofile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/sajberinfo.com\/en\/2024\/02\/28\/keytrap-napad-jedan-dns-paket-blokira-internet\/#KEYTRAP_NAPAD\">KEYTRAP NAPAD<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/sajberinfo.com\/en\/2024\/02\/28\/keytrap-napad-jedan-dns-paket-blokira-internet\/#ISTORIJA_RANJIVOSTI\">ISTORIJA RANJIVOSTI<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/sajberinfo.com\/en\/2024\/02\/28\/keytrap-napad-jedan-dns-paket-blokira-internet\/#ZAKLJUCAK\">ZAKLJU\u010cAK<\/a><\/li><\/ul><\/nav><\/div>\n\n<h2><span class=\"ez-toc-section\" id=\"KEYTRAP_NAPAD\"><\/span><strong><span style=\"font-size: 14pt;\"><em>KEYTRAP<\/em> NAPAD<\/span><\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-size: 14pt;\"><em>DNS<\/em> (eng. <em>Domain Name System<\/em>)\u00a0 je jedna je od osnovnih komponenti interneta. Gre\u0161ka u njenom dizajnu ima razorne posljedice za sve <em>DNS <\/em>implementacije koje potvr\u0111uju <em>DNSSEC<\/em> i javne <em>DNS<\/em> pru\u017eaoce usluga, kao \u0161to su <em>Google<\/em> i <em>Cloudflare<\/em>.<\/span><\/p>\n<p><span style=\"font-size: 14pt;\">Sada su sigurnosni istra\u017eiva\u010di otkrili <em>KeyTrap<\/em> napad, koji je nova klasa napada u kojem <a href=\"https:\/\/sajberinfo.com\/en\/2022\/03\/19\/hakeri-crni-sesiri-epizoda-3\/\" target=\"_blank\" rel=\"nofollow noopener\">zlonamjerni akter<\/a> sa samo jednim <em>DNS<\/em> paketom mogao da zaustavi sve <em>DNS<\/em> implementacije u \u0161irokoj upotrebi i javne <em>DNS<\/em> pru\u017eaoce usluga. <a href=\"https:\/\/www.athene-center.de\/fileadmin\/content\/PDF\/Keytrap_2401.pdf\" target=\"_blank\" rel=\"noopener\">Sigurnosni istra\u017eiva\u010di su pokazali<\/a> da sa samo jednim <em>DNS<\/em> paketom ovaj napad mo\u017ee iscrpiti <em>CPU<\/em> i zaustaviti sve \u0161iroko kori\u0161\u0107ene <em>DNS<\/em> implementacije i javne <em>DNS<\/em> pru\u017eaoce. Primjera radi, popularna <em>Bind9 DNS<\/em> implementacija mo\u017ee biti zaustavljena \u010dak 16 sati.<\/span><\/p>\n<p><span style=\"font-size: 14pt;\">Ovaj razorni efekat podstakao je glavne <em>DNS<\/em> proizvo\u0111a\u010de da nazovu <em>KeyTrap<\/em> kao \u201c<em>Najgori napad na DNS ikada otkriven<\/em>\u201d. Uticaj <em>KeyTrap<\/em> napada je dalekose\u017ean, a njegovim iskori\u0161tavanjem napada\u010da mo\u017ee efikasno onemogu\u0107iti pristup internetu u bilo kom sistemu koji koristi <em>DNS<\/em> prevo\u0111enje koji potvr\u0111uje <em>DNSSEC<\/em>. Vektori napada koji se koriste u klasi napada <em>KeyTrap<\/em> registrovani su u bazi podataka o zajedni\u010dkim ranjivostima i izlo\u017eenostima kao zajedni\u010dka ranjivost sa oznakom <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-50387\" target=\"_blank\" rel=\"noopener\"><em>CVE-2023-50387<\/em><\/a>.<\/span><\/p>\n<p><span style=\"font-size: 14pt;\">Iskori\u0161tavanje ovog napada imalo bi ozbiljne posljedice za bilo koju aplikaciju koja koristi Internet, uklju\u010duju\u0107i nedostupnost tehnologija kao \u0161to su pregledanje interneta, elektronska po\u0161ta i instant poruke. Sa <em>KeyTrap<\/em> napadom, napada\u010d bi mogao potpuno da onesposobi velike dijelove interneta \u0161irom sveta.<\/span><\/p>\n<p>&nbsp;<\/p>\n<blockquote><p><span style=\"font-size: 14pt;\"><em>\u201cOva bezbjednosna ranjivost je mogla da dozvoli napada\u010dima da izazovu velike poreme\u0107aje u funkcionisanju interneta, izla\u017eu\u0107i jednu tre\u0107inu DNS servera \u0161irom sveta visoko efikasnom napadu uskra\u0107ivanja usluge (DoS) i potencijalno uti\u010du\u0107i na vi\u0161e od milijardu korisnika.\u201d<\/em><\/span><\/p>\n<p style=\"text-align: right;\"><span style=\"font-size: 14pt;\"><em>\u00a0<\/em><\/span><span style=\"font-size: 14pt;\"><em>&#8211; <\/em><a href=\"https:\/\/www.akamai.com\/blog\/security\/dns-exploit-keytrap-posed-major-internet-threat\" target=\"_blank\" rel=\"noopener\"><em>Akamai<\/em><\/a><em> &#8211;<\/em><\/span><\/p>\n<\/blockquote>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"ISTORIJA_RANJIVOSTI\"><\/span><span style=\"font-size: 14pt;\"><strong>ISTORIJA RANJIVOSTI<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-size: 14pt;\">Ova ranjivost nije novijeg datuma i prisutni su u zastarelom internet standardu <em>RFC 2535<\/em> iz 1999. godine. Ranjivost je 2012. godine u\u0161la u zahteve <em>DNSSEC<\/em> implementacije za validaciju, standarde <em>RFC 6781<\/em> i <em>RFC 6840<\/em>. Ranjivosti su bile u sajber prostoru najmanje od avgusta 2000. godine u <em>Bind9 DNS<\/em> prevodiocu i prenesene su u k\u00f4d <em>Unbound DNS<\/em> prevodioca u avgustu 2007. godine.<\/span><\/p>\n<p><span style=\"font-size: 14pt;\">Iako ranjivosti postoje u standardu oko 25 godina, nije bila ranije primije\u0107ena. Ovo nije iznena\u0111enje, jer je zbog slo\u017eenosti zahteva za <em>DNSSEC <\/em>validaciju bilo te\u0161ko identifikovati nedostatke. Iskori\u0161tavanje ranjivosti zahteva kombinaciju brojnih zahteva, zbog \u010dega to nije jednostavno \u010dak ni za <em>DNS<\/em> stru\u010dnjake da primijete.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"ZAKLJUCAK\"><\/span><span style=\"font-size: 14pt;\"><strong>ZAKLJU\u010cAK<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-size: 14pt;\"><em>DNS<\/em> je evoluirao u fundamentalni sistem na internetu koji je u osnovi \u0161irokog spektra aplikacija i omogu\u0107ava nove tehnologije. Nedavna mjerenja pokazuju da je u decembru 2023. godine 31,47% internet klijenata \u0161irom sveta koristilo <em>DNS<\/em> prevodioce koji koriste <em>DNSSEC <\/em>potvr\u0111ivanje.<\/span><\/p>\n<p><span style=\"font-size: 14pt;\">Stoga, <em>KeyTrap<\/em> napadi uti\u010du ne samo na <em>DNS<\/em> usluge, ve\u0107 i na sve aplikacije koje ga koriste. Nedostupnost <em>DNS<\/em> servisa mo\u017ee ne samo da sprije\u010di pristup sadr\u017eaju, ve\u0107 rizikuje i onemogu\u0107avanje bezbjednosnih mehanizama, poput za\u0161tite od ne\u017eeljene po\u0161te, infrastrukture javnih klju\u010deva (eng. <em>Public Key Infrastructures \u2013 PKI<\/em>), ili \u010dak bezbjednosti rutiranja me\u0111u domenima kao \u0161to je infrastruktura javnog klju\u010da resursa\u00a0 (eng. <em>Resource Public Key Infrastructure \u2013 RPKI<\/em>).<\/span><\/p>\n<p><span style=\"font-size: 14pt;\">Na\u017ealost, ranjivosti koje su sigurnosni istra\u017eiva\u010di identifikovali nije jednostavno rije\u0161iti, po\u0161to su su\u0161tinski ukorenjene u filozofiji <em>DNSSEC<\/em> dizajna i nisu samo puke gre\u0161ke u implementaciji softvera. Od prvobitnog otkrivanja ranjivosti, sigurnosni istra\u017eiva\u010di su radili sa svim glavnim pru\u017eocima usluge na ubla\u017eavanju problema u njihovoj implementaciji, ali izgleda da potpuno spre\u010davanje napada zahteva da se su\u0161tinski preispita osnovna filozofija <em>DNSSEC<\/em> dizajna, odnosno da se preispitaju <em>DNSSEC<\/em> standardi.<\/span><\/p>","protected":false},"excerpt":{"rendered":"<p>Sigurnosni istra\u017eiva\u010di su otkrili ozbiljnu ranjivost koja je nazvana KeyTrap u funkciji pro\u0161irenja bezbjednosti sistema imena domena (eng. Domain Name System Security Extensions \u2013 DNSSEC) koja bi mogla da se iskoristi za uskra\u0107ivanje pristupa&#46;&#46;&#46;<\/p>","protected":false},"author":1,"featured_media":6230,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[844,713,845,194,843,284,347,842,846],"class_list":["post-6229","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hronike","tag-bind9","tag-cloudflare","tag-cve-2023-50387","tag-dns","tag-dnssec","tag-dos","tag-google","tag-keytrap","tag-unbound-dns"],"_links":{"self":[{"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/posts\/6229","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/comments?post=6229"}],"version-history":[{"count":0,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/posts\/6229\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/media\/6230"}],"wp:attachment":[{"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/media?parent=6229"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/categories?post=6229"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/tags?post=6229"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}