NeuStar offers temporary fix for Kaminsky bug
NeuStar has developed a proprietary system for thwarting Web traffic hijacking attacks that the company plans to market until standard DNS Security (DNSSEC) mechanisms are deployed widely across the Internet.
NeuStar announced on Tuesday that three ISPs have deployed its new Cache Defender system, while four more Tier 1 ISPs are testing it.
[ Related reading: 20 useful IT security Web sites ]
NeuStar says Cache Defender prevents cache poisoning attacks, where a hacker redirects DNS traffic to a bogus Web site without users knowing so that users’ sensitive data can be stolen. These attacks exploit a significant DNS vulnerability that was discovered last summer by security researcher Dan Kaminsky.
The Cache Defender system includes proprietary appliances that are placed in carriers’ networks as well as each node of NeuStar’s UltraDNS Directory Services Platform. These appliances create a secure, authenticated link for communications between two key layers of the DNS hierarchy: the recursive servers operated by ISPs and the authoritative servers operated by NeuStar on behalf of its enterprise customers.
The recursive DNS servers operated by ISPs direct users to Web sites by providing IP addresses for requested domain names. The authoritative DNS servers operated by the Web sites respond to those requests.
With its Cache Defender system, NeuStar uses digital signatures to authenticate that the authoritative DNS servers are delivering accurate data to the recursive DNS servers – without hijackers redirecting it.
“UltraDNS Directory Services Platform creates a secure link between each recursive and authoritative server to prevent cache poisoning,” says Rodney Joffe, senior vice president and senior technologist at NeuStar.
NeuStar supports 4,000 enterprise customers – including more than 550 banks and major e-commerce sites such as Amazon.com -- with its outsourced DNS services. NeuStar says these customers were pushing the company to develop an interim solution to the Kaminsky bug until DNSSEC can be deployed.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
dns
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
