Nominum software provides DNS services for some 120 million broadband users around the world and it was quick off the mark to implement the initial fix for the Kaminsky vulnerability. However this fix, a technique know as UDP source port randomisation, did not address the underlying problem: it simply made exploitation several orders of magnitude harder. And in fact one researcher claims to have already cracked this protection but he was operating over a 10GBE Lan which enabled him to make many more attempts per hour than would be possible over the public Internet.
Now, according to Nominum, a new release of its Vantio caching DNS server platform "provides multi-layer intelligent defences that defeat DNS cache poisoning and other attacks, including the recently publicised Kaminsky vulnerability...[and that] far surpasses the recently released industry standard UDP source port randomisation (UDP SPR)....[and] negates the brute force advantage attackers gained with the latest DNS cache poisoning vulnerability.'
Dr Paul Mockapetris, chairman and chief scientist at Nominum and inventor of the DNS, said: "Literally one day after details of the Kaminsky cache poisoning attack were revealed, UDP source port randomisation was defeated in 10 hours by security researchers using brute-force spoofed response. Nominum's multi-layered approach eliminates the risk of a successful attack."
Key benefits claimed for the new release are that it:
- Resists and stops all forms of cache poisoning attacks;
- Defends automatically against query response spoofing and takes attackers out of loop;
- Prevents hijacking of subscriber traffic, or 'pharming" attacks;
- Identifies perpetrators and records attack attempts;
- Provides protection in enterprise and service provider networks that use network address translation (NAT), which can undermine UDP SPR;
- Reduces the chance of poisoning answers for valuable domains to zero.