DNS Companies Address Cache Poisoning, Phishing

By Monta Monaco Hernon

Earlier this year, Dan Kaminisky, renowned "Black Ops" software expert and director of penetration testing at computer security services firm IOActive, discovered a flaw in the domain name system (DNS) protocol.

Since then, there has been a buzz about cache poisoning and phishing scams. Solutions continue to come online that allow cable operators to help protect high-speed data customers from such attacks as well as illegal content and spam.

As case in point is Nominum, a network naming and addressing solutions provider, which recently enhanced its caching DNS platform.

"In a simple sense, DNS was designed to give answers as they are and has operated that way for a long time," said Gopola Tumuluri, Nominum vice president of product management and marketing. "Not all answers or requests for destinations are good ones. We are prioritizing the good ones and preventing access to the bad ones."

"Since all applications and devices that access anything on the Internet rely on DNS, we see everything," said Bruce Van Nice, Nominum director of corporate marketing. "By examining a request we can quickly - a few microseconds - determine whether or not the request is for a malicious domain. If it is, we can return a warning page."

This is accomplished through the Vantio Malicious Domain Redirection (MDR) Service Delivery Module and the Centris Server, which tracks a billion malicious Internet destinations and makes the information available to the MDR nodes. The software-based solution can be used with the Vantio platform or with a customer's existing hardware, Tumuluri said.

Intercepted information

Cache poisoning and phishing can be likened to a criminal climbing a tree outside of a home and intercepting a phone call to information asking for a bank telephone number, said Rodney Joffe, NeuStar senior vice president and chief technologist.

"I give you the phone number of one of my fellow criminals," Joffe said. "You call believing it is (the bank). You say, 'I'd like to arrange for a transfer,' and he says, 'Can I have your user ID and password?'" The person is then transferred to the real bank, never knowing he gave away his security information.

With the Internet, if a criminal can trick the DNS server, he can present a Web site that looks like the bank's and collect sensitive information. "If a customer ended up on a criminal site and was defrauded, (he) would probably go to the cable company (ISP) and blame them for giving the bad answer," Joffe added. "It is their recursive server that translates (the) IP address."

NeuStar has a product called the DNS Shield. Going back to the telephone call analogy, imagine placing a bank branch inside a customer's kitchen. "There would be no ability for anyone on the outside to go ahead and intercept the phone call," Joffe said.

With the DNS Shield, "authoritative" DNS servers are placed within the ISP's recursive network, which then connects directly with the UltraDNS network. DNS queries are resolved within the ISP's infrastructure. "This limits the ability of anyone on the outside to poison the cache," Joffe said.

The end goal is DNS Security Extensions (DNSSEC) deployment, but Joffe doesn't expect that to occur for year and a half. DNSSEC is an Internet Engineering Task Force specification. "Solutions like (ours) are there to give some kind of relief for when DNSSEC is widely deployed," Joffe said.

Joffe's company, however, also is getting ready to announce a "long-term" solution designed to "enhance the ability to deal with cache poisoning specifically." He didn't give many details except that users going to a Web site of a NeuStar's enterprise customer, including Amazon.com, will know it is authentic.

- Monta Monaco Hernon

Read more news and analysis on Communications Technology's Web site at http://www.cable360.net/ct/news/.