August 27, 2008
Nominum Leapfrogs Industry Response to DNS Vulnerability With New Security Package
Nominum, the leading provider of network naming and addressing technologies, today announced the availability of a comprehensive new security release for its Vantio caching DNS server platform. The latest Vantio software release provides multi-layer intelligent defenses that defeat DNS cache poisoning and other attacks, including the recently publicized Kaminsky vulnerability. By offering built-in defense-in-depth, the Nominum solution far surpasses the recently released industry standard UDP Source Port Randomization (UDP SPR). In fact, Vantio's new defenses negate the brute force advantage attackers gained with the latest DNS cache poisoning vulnerability.
"Literally one day after details of the Kaminsky cache poisoning attack were revealed, UDP Source Port Randomization was defeated in 10 hours by security researchers using brute-force spoofed responses," said Dr. Paul Mockapetris, Chairman and Chief Scientist at Nominum and inventor of the DNS. "Nominum's multi-layered approach eliminates the risk of a successful attack."
-- Resists and stops all forms of cache poisoning attacks
-- Defends automatically against query response spoofing and takes attackers out of loop
-- Prevents hijacking of subscriber traffic, or "pharming" attacks
-- Identifies perpetrators and records attack attempts
-- Provides protection in Enterprise and Service Provider networks that use network address translation (NAT), which can undermine UDP SPR (NAT devices include server load balancers and firewalls)
-- Reduces the chance of poisoning answers for valuable domains (www.mybank.com) to zero
Protection Well Beyond the Industry Response
Nominum and its customers were instrumental in implementing and deploying UDP SPR as part of an industry-wide response to the cache poisoning threat. This feature offered immediate protection to over 120 million broadband subscribers supported by Nominum DNS servers at nearly one hundred carriers and ISPs (click here: http://www.nominum.com/customers/index.php for a partial list of Nominum's key customers).
UDP source port randomization is only a first-step response to the new vulnerability, and network operators need additional deterministic defenses to address important exploits. Cache poisoning attacks rely on many techniques, and response spoofing is only one of them. UDP source port randomization is designed to mitigate risk of spoofing, but is not effective against a determined attacker or other forms of attacks. Response spoofing can be easily subverted when more network resources are available to an attacker that allow for sending many spoofed responses. Nominum's new defenses are critical to ensuring the attacker does not succeed.
"Layered defenses in the DNS system are an effective way to address serious attack scenarios that aren't covered by UDP Source Port Randomization alone," said Dan Kaminsky, the security researcher who discovered the latest DNS vulnerability. "As new DNS vulnerabilities are discovered, a layered approach such as Nominum's will help in ensuring ongoing Internet security."
Vantio features the following four security layers with key security features highlighted:
-- Deterrence Layer: Includes Nominum's leading UDP Source Port Randomization implementation, the recommended industry response to the Kaminsky threat
-- Defense Layer: Incorporates Nominum's "Detect and Defend" capability to detect spoofing attempts and automatically switch the resolution to a secure connection in response to an attack attempt.
-- Resistance Layer: Employs Query Response Screening with a set of features that intelligently screen DNS answers to ensure malicious data in DNS responses is not used to answer valid user queries
-- Remediation Layer: Sends alerts when an attack is under way and incorporates a new feature that records the attack, allowing the attacker to be identified, and real-time remedial action to be taken by the network operator.
"Layered security is the only way to defend against the emerging threats to the Internet," said Tom Tovar, CEO of Nominum. "Our customers, the largest networks in the world, have an obligation to deliver the highest-level of security in delivering Internet service to consumer, enterprise and government users. Nominum's new software release ensures that our customers can meet that obligation immediately and completely."
Pricing and Availability
The new Vantio release is generally available as standard software purchase for carriers, large enterprise and government customers. For more information regarding Nominum's DNS platforms and background on the company, visit www.nominum.com.
Tags and Keywords: DNS Security, DNS Vulnerability, cache poisoning, pharming, Internet security, UDP Source Port Randomization, DNS caching, DNS software, network address translation, NAT, Nominum, Vantio, Kaminsky
For More Information:
-- Latest Nominum news (http://www.nominum.com/news/index.php)
-- Nominum success stories (http://www.nominum.com/customers/case_studies.php)
-- Nominum product overview (http://www.nominum.com/products/index.php)
-- Nominum DNS Protects Over 120 Million Internet Users from New Vulnerability (http://www.nominum.com/news/press/nominum_dns_protects_ over.php) (Due to its length, this URL may need to be copied/pasted into your Internet browser's address field. Remove the extra space if one exists.)
Nominum's network naming and addressing solutions power the world's largest always-on networks. Nominum's Vantio is a carrier-grade caching DNS server offering highly secure, reliable, and scalable DNS services. It is the industry's highest performance caching DNS server, proven in carrier networks around the globe. Optional service delivery modules support the rapid and reliable deployment of carrier-centric services that leverage DNS. Vantio allows communication providers to deliver high quality always-on broadband internet and innovative services to their customers, including VoIP, push to talk, fixed-mobile convergence, IPTV and triple-play. For further information, visit www.nominum.com.