NeuStar offers DNS cache poisoning solution to ISPs

NeuStar, a security solution vendor primarily for the financial industry, is targeting ISPs with an interim answer to Domain Name System (DNS) cache poisoning that it claims is unique to an industry waiting for the long-term answer of DNS security technology.

Cache poisoning is a security breach highlighted in 2008 by security researcher Dan Kaminsky – thus it's sometimes called the Kaminsky bug – that allows Web sites to be hijacked and key financial information to be captured and used to compromise banking and e-commerce accounts. By "poisoning" a DNS server, criminals redirect Web traffic to their own sites, which are set up to look exactly like legitimate banking and e-commerce sites, and capture critical identity and account information from unsuspecting users.

NeuStar's client base is primarily banks and electronic retailers that have thus far borne the brunt of losses from DNS cache poisoning, said Rodney Joffe, senior vice president and senior technologist at NeuStar.

"What we were faced with is a large number of innocent financial firms, banks and e-tailers who are customers of ours, and to address their needs, we have developed an interim solution to the DNS cache poisoning problem," Joffe said. "They pick up the cost of the product, and we are shipping it today and making it available to ISPs."

The solution, Cache Defender, uses two boxes, one placed in front of the NeuStar UltraDNS Directory Services Platform box at the financial customer's site and one within the ISP network. At the banking side appliance, a cryptographic digital signature is added, Joffe said, and the ISP box knows to look for that signature and discard any traffic that doesn't carry it, blocking attempts at cache poisoning.

Grande Communications, a Texas ISP, has deployed Cache Defender, and Joffe said other ISPs, including tier-one players, are testing it.

"They are not paying us for this – the larger ISPs, especially," Joffe said.  "We are giving them these devices."

NeuStar's goal is to protect its existing customers from financial losses that can occur. "It is a numbers game, and if, at some point, we have to start charging, we will provide it at cost," he said.

ISPs often aren't aware of the DNS cache poisoning problem until their customers complain, Joffe said. "Cache poisoning does happen and happens very subtly. Criminals have learned not to make a noise. They poison entries for short periods of time. When an ISP checks, the answers look good."

For example, Brazilian bank Bradesco was the victim of a cache-poisoning attack on Brazilian ISP Net Virtua that affected 1% of its user accounts in a matter of hours. Joffe said security officials for financial organizations usually pick up on a DNS cache-poisoning episode before the ISP.

The industry is working on DNS security, which will be a longer term solution to problems such as cache poisoning, Joffe said, but he believes full deployment of it "is at least two years away."