Web security company Neustar is launching a product that protects web sites from so-called DNS Cache Poisoning, something hackers have used to hijack web sites.
A year ago, security researcher Dan Kaminsky stunned the world with his disclosure of a fundamental flaw in the security of the Internet. He discovered it was possible to poison the Internet’s address book so that hackers could misdirect traffic from one web site to another. The patch he and others put in place was really just a temporary solution, and hackers have found ways to get around it.
Neustar’s Cache Defender security appliance essentially protects sites from being hijacked by adding a new layer of authentication. The new hardware product is important because it may be years before the flaw is fixed. And in the meantime, some big companies, such as a bank in Brazil, have seen their sites hijacked for hours at a time. That exposes the customers of banks and other vulnerable sites to identity theft and other scams.
The cache poisoning trick exploits a flaw in DSN servers, which serve as the address book for sites on the Internet. Kaminsky discovered that you could flood a DNS server with random guesses at its security mechanism and eventually get the right answer. After that, hackers could reassign the address on the server to any web site they wanted. They could then set up a bogus site to collect passwords as users logged in. Kaminsky and others came up with a patch that could deal with the problem, but they didn’t consider the fix to be a permanent solution. That’s because computers are getting faster and faster, enabling criminal hackers are able to flood the DNS servers more effectively.
Rodney Joffe, senior vice president at Sterling, Va.-based Neustar and a designer of Cache Defender, was one of the 16 people that Kaminsky notified upon discovery of the flaw last year. Joffe and the team at Neustar have been working on a fix companies can install to ensure protection in the meantime.
“We essentially put a screen around your porch to keep the bugs out,” Joffe said.
The permanent solution is dubbed DNSSEC, or a secure extension of the DNS system set to be deployed as early as 2011. A lot of infrastructure and software has to be adopted to put DNSSEC into effect. On top of that, DNSSEC has been caught up in international politics. Under the current scheme, the U.S. will have control of a master key to the DNSSEC protocol. Some countries don’t like that. Another problem is that DNSSEC needs to be widely deployed to be effective.
Joffe said Cache Defender offers the same benefits as DNSSEC, but it uses Neustar’s own proprietary solution. Neustar creates a hardware appliance that Internet Service Providers put in front of their DNS servers. The appliance generates an authentication request that goes to Neustar’s own hardware appliances. If there’s a match, the request is allowed to proceed. Customers that have already deployed Cache Defender include Grande Communications, an Internet service provider in Texas.
Neustar is a publicly traded company with 1,000 employees. It spun off from Lockheed Martin in 1996. The company’s products currently protect about 20 million web sites.