Nominum Caches In
One man's poison leads to another man's product, as Nominum Inc. is proving today with its latest security release.
The company has its own answer to the recently revealed method for DNS cache poisoning -- an attack that tricks a server into forwarding Web traffic to the wrong location. For example, a DNS server might be told that lightreading.com requests should be sent not to Light Reading, but to someplace unspeakably horrible.
Cache poisoning is an unavoidable loophole in DNS. The concept has been around for some time, but recently, researcher Dan Kaminsky found a faster way to get it done. He revealed details of the new threat at the Black Hat conference early this month, having kept the method under wraps until a defense was ready. (See New Internet Poison Gets Instant Antidote.)
Someone out there is taking advantage of it. China Netcom Corp. Ltd. (NYSE: CN; Hong Kong: 0906) was a recent victim, according to security firm Websense, as someone poisoned its default DNS server.
Nominum -- and Kaminsky, too -- say that's not going to be enough. The company's own answer involves multiple defenses, starting with port randomization.
But Nominum also offers what it's calling a Resistance Layer. It's pretty simple: The DNS server doesn't keep all parts of an answer to its queries.
That's important because phony answers are one key to fooling the DNS server. It happens when the server gets an URL request that it doesn't recognize. The server then starts asking its neighbors for advice.
Someone out to do DNS cache poisoning can exploit this by bombarding the DNS server with queries for URLS that don't exist -- and also with fake answers. These answers don't say where the URL is located. Instead, they're of the form, "I don't know the answer, but the server at [some IP address] does." That last part points to the attacker's server, providing a foot in the door if that answer is accepted.
So, this Resistance Layer? It means Nominum's server remembers only the "I don't know the answer" part, disregarding the pointer to another location.
Nominum has also created a Remidiation Layer, which alerts network operators if suspicious activity is detected.
All this security has been added to Vanito, the next-generation DNS server that Nominum started shipping about 18 months ago. Nominum's customers already have their hands on the new software.
Reports shortly after Kaminsky's Black Hat presentation said most carriers hadn't yet bothered patching against the cache poisoning threat, but Nominum says that's not the experience it's had. "Most of our major carriers have upgraded," says Bruce Van Nice, Nominum's director of product marketing.
— Craig Matsumoto, West Coast Editor, Light Reading