Communications of the ACM
Dns Remains Vulnerable One Year After Kaminsky Bug
In the year since security researcher Dan Kaminsky discovered a vulnerability in the domain name system (DNS), which could allow hackers to redirect traffic from a legitimate Web site to a fraudulent one, some progress has been made in implementing DNS Security Extensions (DNSSEC), the technology that prevents such cache-poisoning attacks.
For instance, VeriSign has promised to deploy DNSSEC on the .com and .net domains by 2011. Meanwhile, the U.S. federal government has ordered its agencies to deploy DNSSEC across the .gov domain by the end of this year. Federal DNS root servers will have to be signed by the end of this year as well, while DNSSEC will have to be deployed on internally facing DNS servers by June of next year.
However, DNSSEC will not operate at an optimum level until it is deployed across the entire root zone, individual top-level domains, and individual domain names. NeuStar's Rodney Joffe says that such a deployment will not take place for at least another year. Experts are warning that there will be a growing number of attacks on the Kaminsky vulnerability in the meantime.
"The incidence of cache-poisoning attacks is on the rise, and people are scared because they're insidious little beasts," says Secure64's Joe Gersch. He says that many firms often do not realize they are victims of a cache-poisoning attack. "We want to get to DNSSEC, but the industry is working on creative methods to work around the problem until DNSSEC is deployed," Gersch says.
From Network World
View Full Article
Abstracts Copyright © 2009 Information Inc., Bethesda, Maryland, USA 
No entries found