NIST Unveils Tool to Foil Attacks via DNS
Government Computer News (03/25/08) Campbell, Dan
National Institute of Standards and Technology (NIST) network researchers Scott Rose and Anastase Nakassis have written a paper that introduced a method federal systems administrators can use to protect their systems from the attacks launched over the Domain Name System (DNS). Rose and Nakassis say that DNS security extensions (DNSSEC) that are originally meant to protect DNS zone data contain an unintentional side effect that enables an attack precursor known as "zone enumeration." Although zone enumeration is possible without DNSSEC, the traditional methods of enabling zone enumeration are often impractical because they use time-consuming or processor-intensive brute force techniques that are often repelled by intrusion detection systems. Rose and Nakassis also note that there are several techniques that allow networks to realize the intended authentication and integrity benefits of DNSSEC while simultaneously "reducing DNS information leakage." Such techniques are important because the need to protect network operations with methods offered by DNSSEC will only increase as DNS becomes more and more important. In addition, the techniques could improve DNSSEC authentication and integrity protection, which would in turn protect DNS zones and stop attempts to compromise data.
Click Here to View Full Article
No comments:
Post a Comment