NeuStar offers temporary fix for Kaminsky bug
NeuStar has developed a proprietary system for thwarting Web traffic hijacking attacks that the company plans to market until standard DNS Security (DNSSEC) mechanisms are deployed widely across the Internet.
NeuStar announced on Tuesday that three ISPs have deployed its new Cache Defender system, while four more Tier 1 ISPs are testing it.
[ Related reading: 20 useful IT security Web sites ]
NeuStar says Cache Defender prevents cache poisoning attacks, where a hacker redirects DNS traffic to a bogus Web site without users knowing so that users’ sensitive data can be stolen. These attacks exploit a significant DNS vulnerability that was discovered last summer by security researcher Dan Kaminsky.
The Cache Defender system includes proprietary appliances that are placed in carriers’ networks as well as each node of NeuStar’s UltraDNS Directory Services Platform. These appliances create a secure, authenticated link for communications between two key layers of the DNS hierarchy: the recursive servers operated by ISPs and the authoritative servers operated by NeuStar on behalf of its enterprise customers.
The recursive DNS servers operated by ISPs direct users to Web sites by providing IP addresses for requested domain names. The authoritative DNS servers operated by the Web sites respond to those requests.
With its Cache Defender system, NeuStar uses digital signatures to authenticate that the authoritative DNS servers are delivering accurate data to the recursive DNS servers – without hijackers redirecting it.
“UltraDNS Directory Services Platform creates a secure link between each recursive and authoritative server to prevent cache poisoning,” says Rodney Joffe, senior vice president and senior technologist at NeuStar.
NeuStar supports 4,000 enterprise customers – including more than 550 banks and major e-commerce sites such as Amazon.com -- with its outsourced DNS services. NeuStar says these customers were pushing the company to develop an interim solution to the Kaminsky bug until DNSSEC can be deployed.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
dns
Powered by TwitterOn Twitter now
dns
Brian Proffitt
Microsoft/Novell: Breaking Down the Coupon Numbers
Esther Schindler
Drupal's Dries Buytaert on Building the Next Drupal
Tom Henderson
Top Ten General Operating Systems Rants
pasmith
PS3 motion controller delayed; goes up against Project Natal
sjvn
Neolithic Windows security hole alive and well in Windows 7
claird
Perl source code comparison makes for good reading
mikelgan
Cell phones don't create stress or interrupt much
Sandra Henry-Stocker
How to: The Unix Interview
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
- Ubuntu advances: Why Ubuntu server installations will surge in 2010
- Social media marketing: How to make friends with benefits
- More...
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
