NeuStar offers temporary fix for Kaminsky bug

ISP-deployed system to protect Web sites until DNS security is widely deployed

NeuStar has developed a proprietary system for thwarting Web traffic hijacking attacks that the company plans to market until standard DNS Security (DNSSEC) mechanisms are deployed widely across the Internet.

NeuStar announced on Tuesday that three ISPs have deployed its new Cache Defender system, while four more Tier 1 ISPs are testing it. 

NeuStar says Cache Defender prevents cache poisoning attacks, where a hacker redirects DNS traffic to a bogus Web site without users knowing so that users' sensitive data can be stolen. These attacks exploit a significant DNS vulnerability that was discovered last summer by security researcher Dan Kaminsky. 

The Cache Defender system includes proprietary appliances that are placed in carriers' networks as well as each node of NeuStar's UltraDNS Directory Services Platform. These appliances create a secure, authenticated link for communications between two key layers of the DNS hierarchy: the recursive servers operated by ISPs and the authoritative servers operated by NeuStar on behalf of its enterprise customers.

The recursive DNS servers operated by ISPs direct users to Web sites by providing IP addresses for requested domain names. The authoritative DNS servers operated by the Web sites respond to those requests.

With its Cache Defender system, NeuStar uses digital signatures to authenticate that the authoritative DNS servers are delivering accurate data to the recursive DNS servers - without hijackers redirecting it.

"UltraDNS Directory Services Platform creates a secure link between each recursive and authoritative server to prevent cache poisoning," says Rodney Joffe, senior vice president and senior technologist at NeuStar.

NeuStar supports 4,000 enterprise customers - including more than 550 banks and major e-commerce sites such as Amazon.com -- with its outsourced DNS services. NeuStar says these customers were pushing the company to develop an interim solution to the Kaminsky bug until DNSSEC can be deployed.

"The Fortune 500 companies and 550 banks that are customers of ours see fraud every day," Joffe says. "They think DNSSEC is great, but they are asking us: What can you do for us in the meantime?"

Cache Defender is free for ISPs because the costs are being borne by the enterprise customers of NeuStar's UltraDNS managed DNS services. These customers are losing money daily from pharming attacks, and they are willing to pay more for NeuStar's DNS services to underwrite the cost of its Cache Defender appliances being installed in ISP networks.

"The ISPs don't pay for this," Joffe says. "Our customers pay for it through savings they see from fewer cache poisoning attacks."

Participating ISPs include Grande Communications, a Texas telco that said it allowed NeuStar to deploy its Cache Defender appliances in its network because the threat of cache poisoning attacks is "real" and it needs to take precautions to minimize the threat.

The number of cache poisoning attacks is on the rise, experts say. The most publicized attack was in April, when a major Brazilian financial institution was hit by a malicious DNS cache poisoning attack on a leading Brazilian ISP. 

The ultimate solution to cache poisoning attacks is DNSSEC, which uses digital signatures to authenticate all DNS communications. But DNSSEC will take several years to deploy across the Internet infrastructure. Several domains including .org and .gov are deploying DNSSEC, VeriSign has promised to digitally sign the .com domain by 2011, and the U.S. federal government has announced plans to have the DNS root zone signed by the year's end. 

Joffe says NeuStar is deploying DNSSEC, but that it is offering Cache Defender as an interim solution to the cache poisoning problem until DNSSEC is widely available.

"We have already deployed DNSSEC on our infrastructure for all of the top-level domains we operate. That's been in place since January," Joffe said. "The problem is that DNSSEC has not been deployed on the Internet, and it's not going to occur in any real way until probably 2011...The reality is, as much as we may all want to be able to do DNSSEC, we are a ways from being able to do it."

Tags neustarKaminskyDNSSEC

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Carolyn Duffy Marsan

Network World

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?