But the DNS specialist warns ISPs to remain vigilant, as threats are certain to evolve.

by Alex Goldman ISP-Planet Managing Editor [August 27, 2008]

Redwood City, Calif.-based Nominum, the DNS company singled out for praise by Dan Kaminsky in his DNS threat presentation to the Black Hat conference on August 8, 2008, (.ppt presentation, 107 pages), has modified its Vantio DNS product to defeat the Kaminsky attack.

Actually, the company's not claiming 100 percent perfection. Nominum admits that any attacker has a 1 in 10 million chance per query of getting through. But the patch for the problem, source port randomization (SPR) simply slows an attack; it cannot prevent one.

Vantio, says Bruce Van Nice, Nominum director of corporate marketing, has been shipping for the past 19 or 20 months. "It is not new. It is proven and widely deployed."

Nominum has improved it to fight the Kaminsky attack.

Four layers of defence
The Kaminsky attack submits a query to a DNS server and then supplies an answer. The answer will be ignored by the DNS server unless it has the correct query number (there are 2 ¹⁶ possibilities) and the correct port number (if SPR is implemented, another 2 ¹⁶ possibilities, for a total of 2 ³²).

SPR is Nominum's first layer of "defence." It slows down an attack but does not prevent it.

Layer two is what the company calls defense. If a strange query comes from an authoritative server, Vantio establishes a secure connection to the server, cutting out the attacker, who is spoofing the IP address of the secure server. Van Nice says this slows down an attack by at least 100 times.

Nominum calls layer three "resistance." First of all, Nominum resists giving out the IP addresses of name servers (glue records) making attacks more difficult. Second, it discards answers that are not a direct response to the query. A key element of the Kaminsky attack involved sending a query for www.1mybank.com and responding with an answer that says, "I don't know where www.1mybank.com is, but here's www.mybank.com." Vantio will discard replies structured in that way.

Finally, Vantio warns an ISP of an attack. If there's a strange response, Vantio will store the response and send ISP administrators an alert.

Just because there's a bad query doesn't mean there's an attack, Van Nice emphasizes. Subscribers will mistype domain names quite frequently. On the other hand, it pays to track bad replies, because bad replies are not innocent.

"Collectively, these four layers of defense give us capabilities no other vendor can offer," says Van Nice.

Semper Vigilans
Nominum is not claiming that the emergency is over. Attackers will respond to better defences by building better attacks. It's like the war against spam and against viruses.

Van Nice says, however, the Nominum has shown that it can respond to threats with innovation of its own. "ISPs need an infrastructure that lends itself to innovation," he says. "Attacks will continue to evolve, so ISPs need a platform that can adapt in response to the evolution in attacks."

Eventually, we will have DNS SEC, which will solve these problems. But it's not here today and it won't work until everyone in the DNS chain has deployed it. "It's tough to say when that will happen," says Van Nice. "It may be three or five years."

Meanwhile, Nominum will keep innovating, Van Nice says, and its Vantio product will complement the existing DNS monitoring capabilities of the ISP.

—End