NeuStar offers temporary fix for Kaminsky bug
NeuStar has developed a proprietary system for thwarting Web traffic hijacking attacks that the company plans to market until standard DNS Security (DNSSEC) mechanisms are deployed widely across the Internet.
NeuStar announced on Tuesday that three ISPs have deployed its new Cache Defender system, while four more Tier 1 ISPs are testing it.
[ Related reading: 20 useful IT security Web sites ]
NeuStar says Cache Defender prevents cache poisoning attacks, where a hacker redirects DNS traffic to a bogus Web site without users knowing so that users’ sensitive data can be stolen. These attacks exploit a significant DNS vulnerability that was discovered last summer by security researcher Dan Kaminsky.
The Cache Defender system includes proprietary appliances that are placed in carriers’ networks as well as each node of NeuStar’s UltraDNS Directory Services Platform. These appliances create a secure, authenticated link for communications between two key layers of the DNS hierarchy: the recursive servers operated by ISPs and the authoritative servers operated by NeuStar on behalf of its enterprise customers.
The recursive DNS servers operated by ISPs direct users to Web sites by providing IP addresses for requested domain names. The authoritative DNS servers operated by the Web sites respond to those requests.
With its Cache Defender system, NeuStar uses digital signatures to authenticate that the authoritative DNS servers are delivering accurate data to the recursive DNS servers – without hijackers redirecting it.
“UltraDNS Directory Services Platform creates a secure link between each recursive and authoritative server to prevent cache poisoning,” says Rodney Joffe, senior vice president and senior technologist at NeuStar.
NeuStar supports 4,000 enterprise customers – including more than 550 banks and major e-commerce sites such as Amazon.com -- with its outsourced DNS services. NeuStar says these customers were pushing the company to develop an interim solution to the Kaminsky bug until DNSSEC can be deployed.
“The Fortune 500 companies and 550 banks that are customers of ours see fraud every day,” Joffe says. “They think DNSSEC is great, but they are asking us: What can you do for us in the meantime?”
Cache Defender is free for ISPs because the costs are being borne by the enterprise customers of NeuStar’s UltraDNS managed DNS services. These customers are losing money daily from pharming attacks, and they are willing to pay more for NeuStar’s DNS services to underwrite the cost of its Cache Defender appliances being installed in ISP networks.
“The ISPs don’t pay for this,” Joffe says. “Our customers pay for it through savings they see from fewer cache poisoning attacks.”
Participating ISPs include Grande Communications, a Texas telco that said it allowed NeuStar to deploy its Cache Defender appliances in its network because the threat of cache poisoning attacks is “real” and it needs to take precautions to minimize the threat.
The number of cache poisoning attacks is on the rise, experts say. The most publicized attack was in April, when a major Brazilian financial institution was hit by a malicious DNS cache poisoning attack on a leading Brazilian ISP.
The ultimate solution to cache poisoning attacks is DNSSEC, which uses digital signatures to authenticate all DNS communications. But DNSSEC will take several years to deploy across the Internet infrastructure. Several domains including .org and .gov are deploying DNSSEC, VeriSign has promised to digitally sign the .com domain by 2011, and the U.S. federal government has announced plans to have the DNS root zone signed by the year’s end.
Joffe says NeuStar is deploying DNSSEC, but that it is offering Cache Defender as an interim solution to the cache poisoning problem until DNSSEC is widely available.
“We have already deployed DNSSEC on our infrastructure for all of the top-level domains we operate. That’s been in place since January,” Joffe said. “The problem is that DNSSEC has not been deployed on the Internet, and it’s not going to occur in any real way until probably 2011…The reality is, as much as we may all want to be able to do DNSSEC, we are a ways from being able to do it.”