AUSCERT Conference Gold Coast, Queensland May 16, 2012 – Frontline Systems Australia, an NTT company, is building on a longstanding partnership with Nominum, the worldwide leader in integrated DNS-based applications and solutions, to deliver a new carrier grade DNS/DHCP platform targeted at high end enterprises who are especially exposed to the now pervasive threat of malware and botnets.

Unlike proprietary appliances that rely on open source engines with minimal security, constant patches, and moderate performance, the new solution takes advantage of Nominum’s Vantio DNS software running on “off the shelf”, carrier grade HP hardware and hardened Red Hat Linux.  Frontline Level 1 technical support, coupled with the proven stability and resilience of the Nominum software, as well as extremely robust hardware and OS will ensure an easy, out of the box deployment and ongoing operation.

Nominum’s solution is based on a unique three-tier architecture – DNS engines, platforms and applications. The platforms are designed with layers of security protections that remain unmatched, protecting critical DNS servers and the data they contain against DDoS and cache poisoning attacks. Optional Nominum applications add additional protections from malware, botnets and a multitude of other Internet exploits.  Every device on the network can be protected and there is no need to introduce any new equipment into the network.  Any enterprise that deals with valuable or sensitive data can quickly take advantage of advanced botnet identification and mitigation without any significant changes to their existing network.

“Any enterprise that deals with valuable or sensitive data can quickly identify and quarantine malware-infected hosts frequently missed by other network security equipment.  By leveraging Nominum’s open three-tier architecture and 3^rd-party API’s, enterprises can also integrate their own threat intelligence or have alerts published to third-party products such as Security Information and Event Management (SIEM) consoles”, said Craig Sprosts, General Manager of Security Solutions at Nominum.

The DNS based security application will be available from Frontline Systems with full technical support and virtualization services. “We’re taking the expertise we’ve gained deploying mission critical solutions at the largest and most demanding networks in Australia, and providing security and IT teams a critical new layer of protection against loss of company or customer data,” said Chris Ford, Frontline Systems Australia.  “We’ll give CIOs and Security Operations teams a brand new tool for monitoring and managing malicious threats brought into their networks from employee devices including iPads, smartphones, USB sticks, or other IP devices.”

About Frontline Systems Australia

Established in 1992, Frontline Systems was a privately held IT business headquartered in Sydney Australia with 200+ employees and offices in Singapore, Brisbane, Canberra, Melbourne and Adelaide. In May, 2011, NTT Communications Corp, the global Japanese telecommunications provider, purchased a significant portion of Frontline.  Frontline’s business is built around the provisioning of managed services, professional services and enabling infrastructure to its large client base in Australia and Singapore. Our clients include the very largest of Australian businesses from telecommunications, banking and government. Now with NTT’s involvement, Frontline expansion locally and through Asia will continue, offering complimentary business solutions to those of NTT Communications Corp.

About Nominum

Nominum is the leading provider of integrated DNS-based solution applications for service providers.  As the leader in DNS technology for the past decade, we have evolved DNS to become a necessary strategic tool for service providers to help address some of the most pressing challenges they face today.  Supporting more than 500 million Internet users worldwide, our DNS-based three-tiered architecture of applications allows service providers to provide differentiated services while meeting their needs for security, network performance and low latency with cost efficiency and agility. Nominum is a global organization headquartered in Redwood City, CA.

For Frontline press inquires contact:

Rudolf Wagenaar
Howorth
02 8281 3879/0439082550
Rudolf@howorth.com.au

For Nominum press inquiries contact:

Margaret Hoerster
Finn Partners
Nominum@finnpartners.com
312-329-3909

 AUSCERT Conference Gold Coast, Queensland May 16, 2012 – Frontline Systems Australia, an NTT company, is building on a longstanding partnership with Nominum, the worldwide leader in integrated DNS-based applications and solutions, to deliver a new carrier grade DNS/DHCP platform targeted at high end enterprises who are especially exposed to the now pervasive threat of malware and botnets.

Unlike proprietary appliances that rely on open source engines with minimal security, constant patches, and moderate performance, the new solution takes advantage of Nominum’s Vantio DNS software running on “off the shelf”, carrier grade HP hardware and hardened Red Hat Linux.  Frontline Level 1 technical support, coupled with the proven stability and resilience of the Nominum software, as well as extremely robust hardware and OS will ensure an easy, out of the box deployment and ongoing operation.

Nominum’s solution is based on a unique three-tier architecture – DNS engines, platforms and applications. The platforms are designed with layers of security protections that remain unmatched, protecting critical DNS servers and the data they contain against DDoS and cache poisoning attacks. Optional Nominum applications add additional protections from malware, botnets and a multitude of other Internet exploits.  Every device on the network can be protected and there is no need to introduce any new equipment into the network.  Any enterprise that deals with valuable or sensitive data can quickly take advantage of advanced botnet identification and mitigation without any significant changes to their existing network.

“Any enterprise that deals with valuable or sensitive data can quickly identify and quarantine malware-infected hosts frequently missed by other network security equipment.  By leveraging Nominum’s open three-tier architecture and 3^rd-party API’s, enterprises can also integrate their own threat intelligence or have alerts published to third-party products such as Security Information and Event Management (SIEM) consoles”, said Craig Sprosts, General Manager of Security Solutions at Nominum.

The DNS based security application will be available from Frontline Systems with full technical support and virtualization services. “We’re taking the expertise we’ve gained deploying mission critical solutions at the largest and most demanding networks in Australia, and providing security and IT teams a critical new layer of protection against loss of company or customer data,” said Chris Ford, Frontline Systems Australia.  “We’ll give CIOs and Security Operations teams a brand new tool for monitoring and managing malicious threats brought into their networks from employee devices including iPads, smartphones, USB sticks, or other IP devices.”

About Frontline Systems Australia

Established in 1992, Frontline Systems was a privately held IT business headquartered in Sydney Australia with 200+ employees and offices in Singapore, Brisbane, Canberra, Melbourne and Adelaide. In May, 2011, NTT Communications Corp, the global Japanese telecommunications provider, purchased a significant portion of Frontline.  Frontline’s business is built around the provisioning of managed services, professional services and enabling infrastructure to its large client base in Australia and Singapore. Our clients include the very largest of Australian businesses from telecommunications, banking and government. Now with NTT’s involvement, Frontline expansion locally and through Asia will continue, offering complimentary business solutions to those of NTT Communications Corp.

About Nominum

Nominum is the leading provider of integrated DNS-based solution applications for service providers.  As the leader in DNS technology for the past decade, we have evolved DNS to become a necessary strategic tool for service providers to help address some of the most pressing challenges they face today.  Supporting more than 500 million Internet users worldwide, our DNS-based three-tiered architecture of applications allows service providers to provide differentiated services while meeting their needs for security, network performance and low latency with cost efficiency and agility. Nominum is a global organization headquartered in Redwood City, CA.

For Frontline press inquires contact:

Rudolf Wagenaar
Howorth
02 8281 3879/0439082550
Rudolf@howorth.com.au

For Nominum press inquiries contact:

Margaret Hoerster
Finn Partners
Nominum@finnpartners.com
312-329-3909

SVIAZ, Moscow – May 15, 2012 — Nominum, the worldwide leader in integrated DNS-based applications and solutions, announces the Nominum Security Suite for fixed broadband and mobile service providers in Russia.  This suite offers network and end-user solutions and applications for stopping outbound spam, botnet mitigation, phishing and malware prevention, illegal content filtering, managed security, mobile security, and more.  All of these solutions leverage Nominum’s high-performance DNS engines, which are proven in the world’s largest networks and designed to meet the incredible growth rate experienced by Russian operators.

More than 500 million Internet users depend on Nominum-powered networks around the world every day. To help optimize broadband service speed and safety, fixed broadband and mobile service providers rely on Nominum’s three-tiered architecture:  the engines, which make networks faster and more efficient, platforms which increase business agility, and applications that increase competitive differentiation.

Russia is fast becoming an area where cyber-attacks are launched since its broadband and mobile data penetration is increasing so quickly. In Russia alone over the last three years, broadband customer growth is more than 110 percent, or just under 30 percent per year. Russia’s 3G mobile broadband service providers grew from just over 1.5M customers at the end of 2008 to nearly 16M at the end of 2011. With growth comes a promising market for hacking and theft. In fact, Russia was just reported by Microsoft as the third most malware-infected country in the world.

Nominum’s solutions will help service providers in Russia manage the most pressing issues they face today, including:

• Reducing outbound spam – preventing the inadvertent blocking of legitimate consumer and business email due to blacklisting of a service provider’s network
• Identifying and protecting infected subscribers – protecting end-users on fixed or mobile networks from data theft and reducing the risk of network downtime due to botnet attacks
• Preventing phishing and malware – proactively warning end-users before they get infected with malware
• Filtering Illegal content – preventing users from accessing prohibited content such as child sexual abuse
• Managed security – protecting enterprises from theft of confidential customer information or intellectual property

The foundation of these solutions is Nominum’s market-leading DNS engines. The advanced security capabilities and leading performance eliminate risk of network downtime while improving the subscriber experience by reducing DNS latency 50-70%.  Other unique innovations include the ability to log massive volumes of DNS data in real-time without degrading performance, built-in anti-DDoS protections and the ability to apply unique policies for millions of households on a single server.

“Our legacy began when our Chief Scientist, Paul Mockapetris, invented DNS.  As a company, we have focused on evolving DNS from a protocol to an efficient network infrastructure tool that provides high performance and security, to a necessary business tool that addresses the most pressing issues that fixed and mobile service providers face today,” said Craig Sprosts, GM Security Solutions “We are excited to bring our tested solutions to the fast-changing Russian broadband market, and help service providers here generate more revenue while protecting Internet users.”

In addition to the suite of security solutions, Nominum will also offer the other solutions built for fixed broadband and mobile service providers. These solutions are built on the same three-tiered architecture and are designed to solve a variety of non-security issues such as device provisioning, mobile spectrum efficiency, broader network and subscriber visibility, and more. These solutions have gained worldwide acceptance and adoption and are now going to be available throughout the Russia and CIS markets.

About Nominum

Nominum is the leading provider of integrated DNS-based solution applications for service providers.  As the leader in DNS technology for the past decade, we have evolved DNS to become a necessary strategic tool for service providers to help address some of the most pressing challenges they face today.  Supporting more than 500 million Internet users worldwide, our DNS-based three-tiered architecture of applications allows service providers to provide differentiated services while meeting their needs for security, network performance and low latency with cost efficiency and agility. Nominum is a global organization headquartered in Redwood City, CA.

With IPv6 World Launch coming up it’s worth pausing to consider the collective efforts of the Internet industry in enabling and deploying an essential evolutionary technology at what will become truly massive scale. It’s easy to be a detractor and believe there has been little progress – but the Internet hasn’t melted down and there is no evidence it is about to.  Perhaps the issue is that progress occurred in a different way than was predicted or preferred by the experts.  The reality is providers everywhere have developed coping mechanisms for IPv4 exhaustion.  Innovation, operational sweat, and perhaps some tough negotiating make it happen.  But isn’t that the essence of the Internet?

Thought leaders across the industry are focusing on transition topics that matter:  from economic lifecycles, security, and business continuity to the promising future of the Internet of Things. This is what drives most of us, and those on the front lines in the IPv6 evolution have every right to rise up and celebrate.  It’s not only a great technological milestone, but a testament to their collective abilities to work together for the greater good of the connected planet.

Today’s Internet is the foundation for everything we do and the IPv6 Internet will be too but unfortunately some things never change.  While the majority have been busy working on IPv6 for the greater good, evidence makes clear we’re likely to come face to face with a growing number of technologists (aka criminals) with malicious intentions.   IPv6 hinders them in some ways, but helps them in others.  If you have any doubts, a quick search will show a growing number of software tools intended to break or exploit IPv6.  Everything we build offers potential for those who are malicious to use their skills for disruption. Security is a continuum and experience suggests it might be worth some cycles to make sure your IPv6 project does not end up on your CEO’s shortlist of things that keep them up at night.

Preparing for the transition requires looking beyond just software support and interoperability testing to identifying strategic partners and understanding the long-term cost of ownership.  If IPv6 is important to your future you owe it to your business, investors and customers to make sure you have the best technology but are also on the right path with the best, forward looking partners.  It’s refreshing to see that on the Internet, as has always been the case, a global initiative can transcend the boundaries of political, social, and economic agendas.  Maybe we can all even learn a lesson or two from IPv6 on how to tackle some of the critical long-term social and economic challenges facing the world today.

Want to learn more about the transition to IPv6, join us at our webinar on May 30. Click here.

Redwood City, Calif. – May 7, 2012 — More than 500 million users depend on Nominum-powered networks around the world every day.  Fixed broadband and mobile service providers look to Nominum for its three-tiered network architecture: the engines, which are about speed and efficiency, platforms to enable analytics and network and subscriber services, and applications that range from subscriber safety to parental controls.  Nominum’s Vantio DNS Caching engine is now producing performance results exceeding 1 million DNS queries per second – creating the highest performance available for our carrier-grade engine that has powered the world’s largest networks for over a decade.  Nominum engines now exceed the requirements of the most extreme networks being deployed today, and run on standard, off-the-shelf appliances (no special hardware is needed).

“We’re pleased to be the first to reach the ‘1 million queries per second’ milestone, but have always recognized performance is just one part of the answer,” said Gary Messiana, CEO of Nominum.   “Network operators must improve efficiency, differentiate their offerings and increase agility to succeed in their hyper-competitive markets.  With Vantio DNS Caching serving as a core engine, we also deliver the network services, subscriber services and analytics that are critical to network operators’ future successes. ”

With the latest Vantio release, Nominum’s platform allows service providers to rapidly deliver innovative application-based services to control spam, improve subscriber safety, manage botnet activity and much more.   This new approach gives network operators modular platform-based and easy-to-use tools that allow them to quickly release new initiatives and increase revenue by enabling new fee-based subscriber services.  It also provides greater differentiation with a wide variety of applications that can be tailored to each provider’s markets and subscriber bases.

Nominum also recently released updated versions of our DNSPerf and ResPerf, the most widely used free DNS testing tools.  The new versions of DNSPerf and ResPerf can be found here.   Additionally, we have released a white paper that discusses how to use the free DNSPerf and ResPerf tools, along with best practices for testing caching DNS servers.   This paper can be found here.

The Nominum Vantio Caching 5.3 release and updated versions of DNSPerf and ResPerf are available now.

About Nominum

Nominum is the leading provider of integrated DNS-based applications and solutions for fixed broadband and mobile service providers.  Following our DNS leadership over the past decade supporting over 500 million Internet users worldwide, we have evolved DNS to become a strategic tool for service providers to help address some of the most pressing challenges they face today.  Our DNS-based three-tiered architecture of engines, platforms and applications allows service providers to provide differentiated services while meeting their needs for subscriber loyalty, analytics, security, and network performance with cost efficiency and business agility. Nominum is a global organization headquartered in Redwood City, CA.

For press inquiries contact:
Margaret Hoerster
312-329-3909
margaret@finnpartners.com

Mobile networks aren’t usually thought of as sources of spam, but a quick look at some of the resources that track spam reveals they actually are.  This is counter intuitive at first glance because when most people think of mobile they think of smartphones, and those aren’t known to be sources of spam (at least not yet).  What’s really going on is PCs connected to mobile networks with air cards, or tethered with a smartphone where it’s permissible, are the culprits.  Bot infected PCs aren’t at all uncommon, and of course bots don’t especially care if they’re using a costly mobile data service to send their spam.

This problem is serious enough that some mobile networks regularly hit blocklists. These operators have a few issues.  First off, their customers may discover their mail service doesn’t work reliably when organizations using the blocklist refuse all mail from the infected network.  Second, and more important, spam is useless and the wireless spectrum and bandwidth it consumes has to be considered wasted.  Mobile operators might be tempted to think the bandwidth isn’t really wasted, because their subscribers are paying for it as part of their data plan.  But there is an obvious customer satisfaction issue with this argument – it’s always contentious when a subscriber exceeds the limit on their data plan and has to pay a significant premium for additional bandwidth.  And it’s important to remember most end users are completely unaware their machine(s) are infected so they have no idea bandwidth they are paying for is even being used.

Mobile operators have rightfully prided themselves on the security of their networks.  But the presence of infected PCs and other devices connected to mobile networks, and openness of current-generation smartphones introduce new exposures to spam and other exploits that pervade fixed broadband networks. There’s a great opportunity to change this dynamic and turn a negative into a positive.  There are now simple ways to manage bots and the problems they create – sending spam, stealing personal information and more.  The DNS can easily be employed to disrupt communication channels between infected PCs and the control systems bots rely on to send their instructions – effectively preventing spam from being sent.  MX queries from infected hosts can also be blocked to prevent spam from being sent; or redirected to special mail gateways where the messages can be handled according to operator policies.  These techniques don’t introduce any latency, overhead or new equipment in the network.

This solution is a win-win for network operators and their customers. Precious mobile resources aren’t wasted and customers aren’t unknowingly paying to send useless spam.   Because the solution is based in the network end users don’t have to manage anything – another big plus given the increasing frustration end users have about administering their own security.

Recently the FCC and some of the largest US service providers agreed to a voluntary code of conduct to minimize cyber threats. Join us at our webinar on May 10 as our guest presenter, Peter Coroneos, the former CEO of the Internet Association of Australia will talk about his experience and best practices in implementing a similar code in Australia.

This blog has talked a lot about how the DNS can provide network-based security, and how DNS is in the best position to detect malware traffic before it does any harm.

But what does this mean for end users? How does it make their online lives easier and more secure?

DNS servers that are aware of sites that host malware, perform phishing activities (harvesting bank details, for instance) and other nefarious misbehaviors, can prevent end users from ever going to those sites. Remember, most of the time end users don’t deliberately visit dubious sites; they do so accidentally. Either because they mistyped the name of a site or they clicked on a malicious link on a web page. In all these cases, an intelligent DNS server can simply redirect end users to pages that inform them that the site they tried to visit is potentially harmful.

Why is this better than using one of the traditional security software packages? Well, first off, end users didn’t have to download and install anything. They don’t have to worry about keeping the software and site lists up to date, and there’s nothing slowing their PCs down. Even better, in most cases all the devices in a home use the same “Security Aware” DNS server, so they’re all protected – even the games console in the teenager’s bedroom.  Traditional security software packages don’t reach many of these things.

However, there are other ways malware can creep into the home – a laptop gets infected while on the road, someone is a bit incautious with a USB stick, and so on.

The purpose of malware is either to intercept data and observe the activities on PCs where it’s installed, or to use a PC’s resources to spread and provide a “botnet” for attacks on other parties on the Internet. In all cases, malware needs to communicate with a central point at some stage (called “command and control”) to upload captured data, spread itself, or get instructions for the next attack. It uses the DNS to do this, so the DNS server will know where it intends to go before it actually goes there!

This means DNS servers can do several things to help: for known malware, they can block access to botnet command and control systems, thereby preventing the malware from doing any work.  If the malware spreads itself by email (or if its job in life is to generate spam), the DNS server can detect the high rate of DNS “MX” (mail) queries, and in many cases recognize a pattern, and even prevent emails from being sent.

When a PC is discovered to be infected with malware, the DNS server can redirect all queries from the infected PC, to a warning web page with sources to disinfection software and other services.

DNS servers with fine-grained reporting capabilities can even be used to create web-based reports showing end users, for instance, the “bad” sites they’ve been protected from.  These kinds of systems can be extended to allow individual users to add their own entries to the lists of “bad” sites, basically giving them their own personalized security service – the DNS server responds to their queries (and only his) according to their security lists and preferences.

All of this means ISPs can improve the user’s experience, customer relations, potentially generate extra revenue and reduce churn.  With a platform-based approach, it can be done incrementally aligned with other business initiatives.

Within this agreement, the two companies will combine their world-class expertise to introduce a next-generation Centralized DNS and DHCP Management solution for Nominum Caching DNS (Vantio), Authoritative DNS (ANS) and DHCP (DCS) servers. The re-branded product will support centralised configuration of DNS and DHCP server clusters. This is in addition to the DNS management automations found in generally available versions of Nixu Software’s flagship product, the Nixu NameSurfer Suite.

“Nixu is an excellent example of a third-party application that can be integrated with our Nominum Platforms and DNS and DHCP Engines smoothly and quickly,” said Brian McElroy, Vice President of Business Development at Nominum. “By partnering with Nixu, our three-tier integrated architecture of applications, platforms and DNS and DHCP engines grows stronger and we can provide further differentiation and revenue source possibilities to our customers.”

“We have been thrilled to demonstrate our Centralized DNS and DHCP management solution prowess to a thought-leader such as Nominum. With an OEM-installation base that covers 9 out of the 10 largest service providers in the world and a high percentage of Fortune 500, we were ideally positioned to co-operate with Nominum,” said the Managing Director of Nixu Software, Juha Holkkola.

Nominum is the leading provider of high-value applications and solutions powered by its world-class DNS and DHCP core engines. Nominum’s DNS and DHCP-based architecture enable fixed and mobile service providers to address the challenges of delivering differentiated services cost-effectively with unparalleled business agility. Nominum currently supports over 500 million Internet users worldwide, meeting the rigorous demands of service providers for subscriber affinity, network performance, security, and low latency. Nominum is a global organization headquartered in Redwood City, California.

Nixu Software is the leading vendor of software-based DNS, DHCP and IP Address Management (IPAM) solutions. With its central role in the networking ecosystem, Nixu Software is the preferred partner in DDI OEM arena. It offers the best value in the industry for virtualized, dependable and easy-to-use DDI solutions.

Spam is a never-ending problem for service providers.  Unfortunately criminals can still make money at someone else’s expense so they persist in their mindless campaigns.  The DNS is an integral part of well-established techniques for handling incoming spam, so unwanted mail doesn’t get delivered to inboxes.

The other side of the problem is stopping outbound spam at its source, so it never leaves the network where it originates. Providers are interested in this for a bunch of reasons: if their network hits a blocklist it can prevent all emails from being received by organizations that use the blocklist. This diminishes the provider’s reputation in the eyes of their peers – both literally and figuratively!  There is also very real damage to the brand and typically real costs associated with support calls from unhappy users, lost customers, and wasted network resources.

Techniques for controlling outbound spam have mostly focused on managing port 25 traffic, but it’s also possible to control outbound spam with the DNS.  Since most spam today is sent by bot-infected hosts it’s straightforward to use the DNS to identify which hosts on a network are communicating with known botnet command and control systems.  It’s equally easy to block these communication channels so infected systems can’t get any instructions, so they can’t send any spam.  MX queries from infected hosts can also be blocked to prevent spam from being sent, or redirected to a mail gateway where the messages can be handled according to operator policies.

These two simple techniques can eliminate a huge proportion, up to 90%, of outbound spam with minimal false-positives.  The impact on the DNS is minimal – and there is no need for additional equipment in the network, such as appliances.  Nominum is hosting a webinar on this topic on April 24, 2012.  It will provide details on the two techniques summarized above and describe how the solution can be deployed.  Real-world data from two ISPs who have implemented this approach will be discussed as well as the advantages and disadvantages of this approach versus other techniques such as port 25 blocking or DPI.

DNSSEC continues to gain momentum as network operators and domain owners watch and learn from early adopters.   The learning process is made easier by efforts such as the ongoing work conducted by researchers at Sandia labs to methodically identify and categorize the kinds of problems that are occurring.

The early experience has validated the need for integration of all the functions needed for DNSSEC.  It’s not realistic to expect DNS administrators to pull together all the piece parts that are needed. Automation is also essential, if technically astute organizations are tripped up by mandatory maintenance and intricate processes (like rolling over Key Signing Keys) then others will be too.

Evidence of the value of better tools can be found out in the marketplace.  Comcast recently promoted their deployment of DNSSEC across their network of more than 18 million subscribers and signing of more than 5000 domains. They’ve demonstrated DNSSEC can be deployed at massive scale by taking advantage of better DNS software.  Adoption of every new technology accelerates when a major player takes the lead, a large scale deployment validates what is possible and positions DNSSEC at the base of the power curve.

DNSSEC has also been on the agenda at the United States Federal Communications Commission (FCC).  In a recent speech Julius Genachowski, Chairman of the FCC, not only urged service providers to take voluntary action to deter the spread of botnets, he also urged them to adopt DNSSEC.

ISPs that adopt DNSSEC, Genachowski said, “can provide a real and tangible benefit to the consumers and businesses that rely on them.” He pushed ISPs to implement it “as soon as possible.”

Directly from his speech: “If they adopt DNSSEC, ISPs can provide a real and tangible benefit to the consumers and businesses that rely on them. DNSSEC is ready to be implemented. Indeed, at least one major U.S. ISP has already completed implementation of DNSSEC. “

As security becomes a part of brand equity, service providers and domain owners everywhere will recognize the value of improving their stature.  Leadership on the part of large ISPs demonstrate that with the right tools even complex technologies like DNSSEC can be deployed and deliver real benefits to end users.  Better still, security also does not have to exist in isolation but can be part of a larger strategy that incorporates other business enhancing initiatives such as subscriber loyalty and business intelligence.

To prevent this from happening ISPs quickly initiated outreach programs to inform users infected with DNS changer malware they needed to remove it, or their Internet service would cease to work properly.  The interesting thing is even when faced with disruption of their Internet service many end users were unwilling, or unable, to help themselves.

This has substantial implications for ISPs.  For instance there are obvious costs for support calls and in some cases there could be a flood of calls because when the clean DNS servers are unplugged end users will feel the impact immediately – potentially within seconds.   Calls related to DNS Changer could be especially costly since removing it is non-trivial, it might be necessary to provide extra assistance to more subscribers than usual to ensure it’s done properly.

Equally important is brand damage – some percentage of subscribers will unfairly blame their service provider for the problem DNS Changer causes no matter what (and in spite of numerous notifications they may have received!).  These significant lingering impacts of DNS Changer and future malware that will inevitably replicate it underscore the need for new solutions.

So what else can be done if end users can’t always be depended on to respond quickly (or at all) when an infection needs to be removed from their machines?  In medicine diseases can be treated with antibiotics and drugs, but many diseases can also be prevented altogether with vaccines or other methods.  In networks a similar approach can be employed.   Network operators can supplement existing processes for identifying and treating malware with additional protections that help prevent infections in the first place.

Increased emphasis on preventative medicine to deter malware, like annual flu shots, will yield disproportionate returns – especially as malware evolves and creates more problems that are visible to end users.  Deployed as part of a broader platform strategy, additional subscriber and network protections can also support broader goals to reduce operational costs and promote subscriber loyalty.

Several quotes from an article in PC magazine , and directly from the Chairman’s speech , capture the issues the FCC is concerned about.

“For the average consumer, the consequences can be equally devastating,” Genachowski said. “Bots are used to relay massive amounts of spam. Bots can be used to steal passwords and financial information, putting an individual’s identity at risk.”

The chairman called on ISPs to increase customer awareness about botnets and how they can spot an infected machine. “I’m calling on all ISPs, working with other stakeholders, to develop and adopt an industry-wide Code of Conduct to combat the botnet threat and protect the public,” Genachowski said.

He pointed to Comcast and CenturyLink, which have implemented bot mitigation measures: “If other ISPs employed similar best practices, it could significantly reduce the botnet threat,” the Chairman said, “…ISPs can play a significant role in the battle against botnets. They can increase customer awareness so that users can look for signs that their computers are being used as bots, detect infections in customers’ computers, notifying customers when their computers have become infected, and offer remediation support. Of course, ISPs can and must do this in a way that does not compromise consumers’ privacy.”

The FCC Chairman’s proposal for a voluntary Code of Conduct is a great alternative to formal government mandates that force ISPs to comply with ”one size fits all” regulations.  Service Providers have a far better understanding of security technologies that offer them the most leverage given the unique requirements of their customers and networks.

A voluntary approach also lets providers reconcile the disparate objectives driving their business – reducing operations costs, differentiating, and improving agility – rather than being constrained by mandated point solutions that will quickly become obsolete in the face of extremely fast changing problems.  Done right they can adopt platform oriented strategies that potentially even allow them to address other business priorities like increasing subscriber loyalty.

Voluntary approaches have been adopted elsewhere.  In Australia the Internet Industry Association (IIA) adopted a voluntary Code of Practice to combat botnets several years ago.  In Germany, eco, another Internet Industry association worked with government on a botnet mitigation initiative.  This could become a common model worldwide and deter costly regulatory mandates.

As bots and the problems they cause become more apparent to the average person, Internet users are going to look to their ISPs for help.  Providers have a great opportunity to demonstrate leadership while reinforcing their commitment to subscribers and removing a liability that can adversely impact their networks.  Security will become part of their brand equity, leading to an enlightened strategy that incorporates other business enhancing initiatives.

• DoS/DDoS attacks targeted at bringing down recursive DNS servers. These attacks max out the server processing capacity and bring down the service altogether or noticeably impair it for some set of users.
• Attacks that modify DNS data.  Also known as “cache poisoning” these attacks alter data in the DNS cache so users are re-directed to fake web sites that can be used for harvest personal information or cause other damage to users.

5 tips for securing recursive DNS infrastructure 

In this article we focus on the former category of attacks: protecting against DoS/DDoS attacks that can bring down or impair DNS performance.

1. Set ACLs to filter out queries from clients that shouldn’t be accessing your DNS.  Most recursive DNS servers typically have a mechanism to set ACLs to only accept queries from users that belong to your network. By specifying the IP address ranges of clients that are allowed to query the DNS server, queries from clients that shouldn’t be accessing it will be filtered.  out and may be trying to bring down the caching DNS server. This is a first level of defense to DoS attacks.

2. Filtering policies should also be set at the subscriber edge (such as at DSLAM for DSL networks) to ensure subscribers can’t spoof an address and launch an attack on the DNS or any other network resource.   There are various names for this capability but it amounts to doing a unicast reverse path forwarding (URPF) check at the edge of the network so subscribers can’t spoof addresses.  This prevents a whole range of attacks.

3. Set policies to rate limit DNS queries, on a per subscriber basis.  This is a feature of some DNS servers.  If it’s not available in your DNS server it may be possible to enforce DNS rate limiting policies in the network security infrastructure.

4. When a DNS query can’t be answered from the cache, a recursive lookup needs to be performed to go and get an answer from the proper authoritative server on the Internet.   Several DoS attacks query for random domains, which are not in the cache, to force the DNS server to do a lot more work. Increasing the number of recursion contexts in the DNS can be used to temporarily “absorb” attacks that try to max out the recursion contexts. This also provides a longer time window to mitigate the attack.

5. Last but not least, it‘s important to periodically monitor and define alerts to get automatic notification if there is a sudden spike in DNS queries or recursion contexts above the normal values. Attacks often show up in these “spikes” and early detection of the problem is the first step to mitigation.

BARCELONA – February 27, 2012 — Nominum, the worldwide leader in network-based solutions and applications for service providers powered by its world-class Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) core engines today announced its expanding presence into the mobile broadband arena with the introduction of a new Nominum Mobile Suite™, the first-ever purpose-built suite of solutions specifically designed for the changing needs of today’s mobile providers

Mobile service providers today are under the dual pressures of ever-increasing demands for data and traffic and the need to differentiate and adapt quickly. The Nominum Mobile Suite features high-value applications to help mobile providers increase revenue, reduce churn and ultimately protect their brands – all the while making the most efficient use of their most finite resource – wireless spectrum. The launch of the Nominum Mobile Suite is grounded in the Nominum legacy in DNS solutions that started with founder and chief scientist Dr. Paul Mockapetris and updates it for the pace of today’s mobile Internet.

“Market conditions, especially the mobile data explosion and the migration to 4G, require providers to evolve their business models for the future while keeping up with the demands of today,” said Doug Miller, General Manager of Mobile Solutions for Nominum. “Nominum Mobile Suite is an integrated approach to helping carriers unlock the secrets to their most valuable asset – network traffic – to become more efficient, differentiated and agile.”

The Nominum Mobile Suite is built upon Nominum’s expertise in delivering high-value applications for leading fixed broadband operators. Applied to mobile, these applications support core functions around multiple mobile-specific network interfaces such as Gi, Gn and Gp DNS.  The Suite helps providers achieve differentiation, efficiency and agility by addressing four predominant provider business needs. The Suite includes:

• Mobile Packet Core – This first-of-its-kind solution offers seamless integration of standard caching and authoritative DNS services into a single holistic and efficient solution for both 3G and 4G networks.
• Network and Service Visibility – As networks advance and mobile customers consume more data, the need for visibility increases. This solution provides mobile service providers with anywhere/anytime access to the wealth of information generated by their network.
• Subscriber Affinity – Leveraging the DNS platform, this solution enables providers to create network-based, value-added functions, from security from viruses and phishing attacks to parental controls and scheduling tools to enhanced end-user applications, which can improve subscriber experience and ultimately, improve loyalty.
• Spectrum Efficiency – In addition to decreasing latency, this solution also manages wireless spectrum by preventing malicious activity enabling providers to quarantine abusive or infected customers, and addressing other forms of anomalous traffic.

“Nominum has a history of success with fixed and mobile service providers and a depth of products that led to the formation of a dedicated mobile solutions group and the release of the Nominum Mobile Suite,” said Nominum CEO Gary Messiana. “The Nominum Mobile Suite for the first time integrates our innovative applications around the DNS so mobile providers can adapt to market conditions today and in the future while also addressing the specific challenges they face in the coming years.”

For more information about Nominum Mobile Suite, visit www.nominum.com/mobile.

About Nominum

Nominum is the leading provider of high-value network-based solutions and applications powered by its world-class DNS and DHCP core engines. We empower fixed and mobile service providers and OEM technology partners to achieve cost efficiencies and extract the highest value from networks by enabling innovative and differentiated offerings. Nominum currently supports over 500 million Internet users worldwide, meeting the rigorous demands of service providers and enterprises for subscriber affinity, network performance, security, and low latency. Nominum is a global organization headquartered in Redwood City, CA.

For press inquires contact:

Amy Farrell
Finn Partners
Nominum@finnpartners.com
+1-214-250-4995

I first became familiar with DNSSEC around 2002 when it was a feature of the Bind9 server, which I was using to setup a new authoritative DNS platform for customers of the ISP I was working for. I looked at it briefly, decided it was too complex and not worth investigating. A couple of years later a domain of a customer got poisoned in another ISPs network. And while the DNS service we provided was working properly, the customers impression was we hadn’t protected them.

That incident made me rethink my opinion on DNSSEC which could have prevented the cache poisoning.  Even a couple of years later DNSSEC was still extremely complex, but I was able to educate myself and managed to setup a signed domain; and using their key as trust anchor, did secure resolution.  The whole process was a lot different from the DNS administration we used to have: setup a server, load a zone, and forget about it.  Here’s what I had to do:

• Generate keys (best practice is to have at least two)
• Sign zones

The real work comes from housekeeping, because in cryptography everything has a limited lifetime. The biggest challenge is a lot of stuff has to be done repeatedly:

• Whenever something changed zones it had to be re-signed
• After some time keys expire, so new keys must be generated
• Zones then had to be re-signed
• Transition the zone from using one key to the other key

The last topic alone fills half of the DNSSEC operational RFC which in the most current version is 67 pages long.  Also note, this did not cover the effort to manage trust anchors for caching servers, which is substantial when you don’t have a signed root. So deploying DNSSEC was possible, but it was a long way from being usable even for an experienced DNS admin.

To make DNSSEC easier there were two main problems that had to be solved:

Most people are aware DNS is a hierarchical system so cryptographically protecting DNS data introduces significant complexity.  With DNSSEC, signatures have to start at the root, and then propagate down to the TLD and so on. It has always been possible to deploy DNSSEC without a signed root but everyone quickly figured out it was very cumbersome for operators of recursive name servers.  This is a major reason why DNSSEC wasn’t adopted earlier.  It was most definitely lacking “ease of use”!

DNS admins and customers/users care about DNS data, they are not interested in the actual wire representation and signatures. Yet all the tools (if you could call them that!) required them to understand everything.

The first problem was solved on the 15th of July 2010 with the root being signed.  Today 77 TLDs are signed and delegated from the root including the biggest gTLD and ccTLD (.com and .de respectively).

The second problem was actually solved even earlier. While working at an ISP I concluded DNSSEC could do some good things, but it needed work. Based on a lot of detailed discussions and feedback a group of engineers at Nominum came up with a great solution.  I first got access to it in 2009 and was pleasantly surprised to see it removed all the configuration complexity (I’ll cover the details in another blog post) Full disclosure: I joined the company about a year later.

With major hurdles for DNSSEC deployment removed, there is no reason not to start deploying it now. Of course rollouts have to be planned, but if you start to setup DNSSEC for your test/lab environment you’ll see how easy it is with the right tools. If not, talk to us and we’ll work with you to make it better, and if you have comments or want to discuss DNSSEC deployment send them to ralf.weber@nominum.com and I’ll be more than happy to work with you.

Basically their little trick exercises the algorithms that decide what data gets cached in responses from authoritative DNS servers.   They discovered a way to persuade some caching servers to accept delegation data that would allow someone to revive a domain in the caching server by replacing an about-to-expire entry with a new entry that has a fresh TTL.   By sending standard queries for the target domain an attacker can manipulate the caching server to ensure their domain remains alive.

There are a couple of bits of good news.  First, Nominum Vantio servers are NOT susceptible to this vulnerability.  Vantio source code has been carefully reviewed and testing has confirmed Nominum’s algorithms for determining what DNS data is stored in the cache will NOT store the DNS data that enables this vulnerability.  To capture the technical point:  Vantio never uses authority section data from a zone to update the zone’s delegation entry.  Or, said another way, Vantio only accepts delegation data from a parent zone.

The other good news is it certainly does not compare with earlier vulnerabilities, like Kaminsky’s in 2008.  It is not cache poisoning, the attacker can only impact domains they control (by controlling authoritative servers for that domain).  It also does not improve the effectiveness of an exploit, but could be used to extend its lifetime.  Perhaps the phishers will rejoice since they are commonly targets of take downs.

It’s also important to note that since it operates at the caching layer the effectiveness of the vulnerability is bounded by an attackers ability to manipulate widely distributed caching servers.  Scale is determined by touching more caching servers so a lone phisher without access to something like a properly trained botnet.

It will be interesting to see whether or not this gets used in the wild.  Perhaps a dejected botmaster will use it to breath new life into a botnet that has been taken down.  Imagine a self-sustaining botnet, that takes advantage of ghost domains to survive attempts to kill it.  Wouldn’t that be a vampire bot?

• Run DNS process on server < 20% CPU
• Maximize cache hit ratio by managing the memory cache value
• Configure recursive Contexts to be at 10-15% of total available RC’s during sustained operation
• Distribute as much as possible
• Keep servers as close as possible to subscribers
• Use multiple operating systems and hardware types if your operations and deployment methods allow.
  • This is usually hard and could become cost prohibitive
    • Resources that understand multiple OS’s
    • Multiple operating procedures for support
    • Varying deployment models
    • Expensive to operate
  • Performance metrics could vary based on the OS/hardware type

Monitoring: It is very important to keep track of every available system and software metric to keep your environment running at 99.999% uptime.

• CPU utilization
• MEM utilization
• DISK utilization
• I/O Subsystem stats
• Interface statistics
• Caching Server Process
• Recursive context statistics
• Queries per second
• Top clients devices generating DNS queries
• Top domains accessed

Patches and upgrades:

• Validate patches/upgrades in a lab environment
• Initially deploy patches/upgrades to a single server or a site and run for a period your operations team are comfortable with
• Update any methods and procedures (M&Ps) for your operations team if new features and or functions have been added.

Choose a suitable hardware platform

• Fast Intel/AMD based processor architecture
• 2 GB RAM – 8GB or higher if you plan to take advantage of additional DNS based features like redirection, or extensive statistics
• Gigabit interface

Server configuration:

• Assign a separate IP address for query source
• Memory cache value: Depending on your environment, this value could vary. The number of subscribers accessing this server will have an impact on the configuration value. A value between 500-1500MB can be used.
• Recursive contexts: This value needs to stay low. A Recursive context is a thread that is used for recursion. The lower the number of recursive contexts the better is your Cache hit. The two values go hand in hand during the optimization of your caching server.
• Negative Cache TTL: the default value usually works in most environments, but with very low TTLs critical for RRs for most global entities, it is better to keep this value low, between 15 and 45 minutes.

Security:

• Don’t deploy a firewall in front of caching DNS servers (can deploy an Intrusion Prevention System or similar if needed)
• Define an ACL list that matches the address ranges of the subscribers who can access the server
• Use the maximum number of ports (16) for UDP Source Port Randomization to maximize protection against spoofed queries.
• Take advantage of query case randomization, also known as “0×20”.  Be sure the server can requery (over TCP) without randomization to cover the small percentage of authoritative nameservers that don’t mirror query case.

Redundancy: Redundancy is critical when building a reliable caching infrastructure. Some common practices are

• Two logical caching servers at a minimum
• Ideally on different networks
• In different datacenters
• At least one server close to the subscriber < 20msec delay

Availability: The caching infrastructure always has to be available for the best subscriber Internet experience. There are several ways to deploy – the best solution will be guided by the network topology, the desired subscriber experience and cost.

• Load balanced: Horizontally scalable in large environments. It also allows additional control of ACLs on a hardware device if needed. The overhead is that it requires a load balancer expertise to manage the environment
• Anycast: This is a very common deployment model. This allows for individual servers to present themselves as DNS nodes on a network. DNS traffic is routed to the closest server on the network.
• Hybrid (Anycasting via a load-balanced configuration): This configuration is in use in large environments. This provides the flexibility of scaling a node to multiple servers based on subscriber density and traffic flows.

Capacity: A scalable infrastructure should be capable of handling failures in the network and/or hardware.  Always provide enough headroom on a server for:

• Loss of a site
• Loss of a server
• Site maintenance
• Server maintenance

Set thresholds: This will allow your network operations center to be proactive to potential problems way before they become serious

• CPU utilization > 40%, 50% 60%
• Recursive Contexts should run at around 20% sustained rate, 50% should trigger a notification and 75% requires attention to see what’s going on.
• QPS per client

DDoS:

• Rate limit queries per IP
• Distribute servers
• Use best of breed caching servers

Deployment process:

Simplify the deployment process so patches and software upgrades can be deployed quickly.

• Be able to quickly rebuild the OS
• Be able to quickly deploy a patch
• Be able to quickly upgrade the DNS software

Authoritative DNS Servers host your domains like www.yourcompany.com, and associated resource records, as well as their location. It does this by mapping names of hosts to their IP-addresses.

Caching DNS Servers help applications and services – browsers, VOIP, IPTV, etc. – navigate the DNS hierarchy to find the appropriate Authoritative servers and eventually the target host of your domain.

When you design and deploy DNS caching infrastructure, it’s important to understand and research the following first.

• How many subscribers are going to access the environment?  100-150 thousand per server is a typical maximum for high performance software running on a current generation hardware platform.
• What is the anticipated subscriber growth?  It’s worth matching growth to the hardware refresh cycle of 3-4 years.  Using the growth rate work back from 100-150 thousand subscribers maximum to figure out what the starting subscriber count should be.
• How distributed do you want the infrastructure to be? This usually depends on the network topology.  Keeping DNS clusters/servers as close as possible to end-users provides the best possible Internet experience.
• What additional features need to be enabled like IPv6 or DNSSEC?
• What additional solutions – like redirection, bot identification and mitigation or others need to be run on the platform?
• What statistics and metrics do you need to feed internal systems – what DNS related stats are tracked currently, are there new stats offered with the new platform that would be useful?
• What are other business growth drivers – are there plans to deploy new services that will fuel DNS growth?
• How will your operations team manage the new infrastructure?
• What processes and procedures have to been implemented to support the new and/or upgraded platform.

Once you have a clear understanding of the questions above and a few other that might be specific to your environment you can start putting your requirements into play.  Since you have the opportunity to build an infrastructure from scratch or upgrade an existing one, it’s worth spending time understanding business needs can be balanced with cost and capabilities of the solution.  Work the numbers – look at subscriber count and performance and consider factors that impact the subscriber experience like latency and costs.

SUNNYVALE, Calif., January 24, 2012- Fortinet® (NASDAQ: FTNT) – a world leader in high-performance network security – today announced the introduction of two new DNS caching appliances designed for the SMB, Enterprise, Federal, Financial Services and Educational markets. The FortiDNS-400C and FortiDNS-1000C, the first of a planned product family of security-focused DNS, DHCP and IPAM solutions, enable organizations to prevent malicious attacks against their DNS infrastructure.

The FortiDNS-400C and FortiDNS-1000C are the result of a technology partnership with Nominum, the worldwide leader in intelligent DNS and DHCP business solutions that support over 500 million broadband and mobile users worldwide. Powered by Nominum, the FortiDNS appliances introduce significant security benefits to help protect an organization’s DNS, the method of translating URLs (such as www.fortinet.com) to individual device IP addresses. Without a fully secure Domain Name Server (DNS) infrastructure, there can be catastrophic consequences that include hijacking of legitimate users and an inability to send email, find Websites or access the Internet. For example, criminals seeking to steal the login credentials of online banking customers could hijack the DNS of an ISP and redirect customers to a fraudulent site.

“If compromised, DNS can open an organization up to attack and subversion via the redirection of users to malicious content,” says Dr. Paul Mockapetris, Chairman and Chief Scientist of Nominum and inventor of the Domain Name System (DNS). “It is one of the most critical but often overlooked components of Internet use. That’s why today’s introduction of the initial FortiDNS appliances is so significant. Organizations now have a DNS caching appliance running a hardened, commercially-crafted software, that is field-proven with hundreds of millions of users, providing exceptional security for one of the most important aspects of their IT infrastructure.”

The security-focused FortiDNS-400C and FortiDNS-1000C feature a high-performance recursive DNS caching engine that supports IPv6 and Domain Name System Security Extensions (DNSSEC) making it an ideal upgrade option over aging and functionally-limited legacy solutions. By integrating the high performance and secure DNS features from Nominum with Fortinet’s broad management, network security and cloud-based FortiGuard™ services, the FortiDNS family provides organizations with a simple-to-deploy and affordable appliance that provides critical DNS security capabilities.

Simplified Management

Until now, DNS has had a history of being a somewhat complicated and, at times, error-prone system to manage and administer. Simple configuration errors on the command line have proven disastrous and difficult to troubleshoot. To overcome these issues, FortiDNS is a fully hardened appliance that removes the need to patch and maintain the host operating system. As a GUI-configured solution, the FortiDNS family simplifies the task of administering the appliance to reduce operational overhead and significantly minimize the risk of misconfiguration.

FortiDNS Features

As a hardened system powered by Nominum, the FortiDNS-400C delivers market leading, carrier-class DNS security that has been tested in the most demanding environments in a simple-to-deploy appliance form factor for a wide range of enterprises and businesses. Through its secure DNS implementation including Transaction ID, UDP source port and case (query name) randomization, the appliance can prevent DNS cache poisoning attacks. In addition, its high-performance DNS caching speeds up name resolution and network performance.

FortiDNS appliances also provide support for IPv6 and DNSSEC to help ensure future requirements are supported in order to protect customer investments. To secure remote management and protect against brute force attacks to gain access, they also integrate with FortiToken two-factor authentication.

And for enhanced visibility, network and security administrators can gain insight into what is being queried on their network and who is making the query. This aids in quickly identifying potential misconfigurations and compromised systems and helps organizations adhere to audit requirements.

“The need to secure DNS infrastructures has never been greater,” said Michael Xie, chief technology officer with Fortinet. “Because DNS is a fundamental enabling component of the Internet, it has to be aggressively safeguarded from malicious attacks that can wreak havoc on an organization’s ability to conduct business. That’s why we’re collaborating with Nominum on the release of our initial secure DNS caching appliance. By combining best of class technologies from two market leaders, the FortiDNS family is a powerful yet highly affordable solution to help protect and preserve the integrity of an organization’s DNS infrastructure.”

Availability

The FortiDNS-400C and FortiDNS-1000C will be available in Q1 2012.

About Nominum (www.nominum.com)

Nominum is the leading provider of business solutions powered by world-class Intelligent DNS and DHCP software and service platforms. Our solutions enable our customers, including fixed and mobile service providers and OEM technology partners, to provide the most secure, scalable, robust and reliable Internet experience to more than 500 million users worldwide. Nominum’s DNS- and DHCP-based solutions are the only commercial offerings in the marketplace meeting the rigorous demands that today’s service providers and enterprises have for security, low latency and high-speed performance. Nominum is a global organization headquartered in Redwood City, CA.

About Fortinet (www.fortinet.com)

Fortinet (NASDAQ: FTNT) is a worldwide provider of network security appliances and the market leader in unified threat management (UTM). Our products and subscription services provide broad, integrated and high-performance protection against dynamic security threats while simplifying the IT security infrastructure. Our customers include enterprises, service providers and government entities worldwide, including the majority of the 2011 Fortune Global 100. Fortinet’s flagship FortiGate product delivers ASIC-accelerated performance and integrates multiple layers of security designed to help protect against application and network threats. Fortinet’s broad product line goes beyond UTM to help secure the extended enterprise – from endpoints, to the perimeter and the core, including databases and applications. Fortinet is headquartered in Sunnyvale, Calif., with offices around the world.

Criminals always follow the money and with growth in mobile broadband at the base of the power curve and the billions of devices forecast to be navigating the web, there is little doubt tremendous energy will be expended to target mobile devices.  They will become prime targets especially since people are already comfortable banking and executing other kinds of transactions from their smartphones.

Mobile network operators face different challenges than their fixed network counterparts.  Although mobile devices like tablets and smartphones have become extraordinarily powerful they still have processor and memory constraints as compared to even modest laptop computers.  With this kind of environment, traditional security solutions (like client software) introduce trade-offs.   Mobile users won’t be happy if security software noticeably impairs the performance of their devices, especially if they’re depending on it for directions or information while they’re on the go.

Using precious bandwidth for shipping security software updates is also unlikely to appeal to either network operators or mobile users.  For network operators aggregate bandwidth consumption for updates will be substantial and there is a real cost associated with its use.  Users like the idea of security but if the practical reality means waiting for an update rather than surfing to find the nearest restaurant they’ll always prefer the latter and will quickly tire of intrusions that interrupt their routines.

There are other, more subtle issues with mobile.  With mobile devices in general there’s less opportunity to provide context and cues to users to alert them to security threats.  Small(er) screens introduce unique human factors challenges.  With less display area there’s a reflexive tendency to scroll to where the action is on the screen and even experienced users may miss important cues indicating a security threat, for instance by quickly scrolling below the address bar in a browser window.

Just as criminals are dependent on networks for launching their exploits, they’re also dependent on the network to harvest their gains;  they need phishing sites to gather valuable personal information, drop-off sites for malware to upload personal information, and in the future Command and Control for botnets. These telltale signs reveal their presence.

Mobile network operators have a unique opportunity to address these issues.  Enabling a layer of security protections in the network is an obvious alternative to traditional approaches.  Network based protections offload the burden on mobile devices and eliminate the need to continually update what will rapidly grow to be billions of devices.

Leveraging the DNS as a network based security solution offers even more benefits as discussed in these posts: Strategic Vantage Point, The Power of the Control Plane, Advantage DNS.  Most importantly, it allows network operators to demonstrate an active commitment to protecting their customers – enhancing their safety online and improving their overall Internet experience.  This will increase their affinity for the base service and make them more receptive to other offers.

The DNS is proven and well understood, it’s been an integral part of IP networks for more than 25 years. It’s also stable; there have been very few changes to the protocol so there is little inherent risk in leveraging it for new applications like security.

The DNS is universally deployed; every IP network in the world uses it.  Every client device that accesses the Internet also uses it because it’s essential for navigation.  DNS ubiquity is a Good Thing, leveraging the DNS removes the need for new equipment and changes to network architectures.   Since every device already has a DNS client there’s no need for client software either.

The DNS is a superb vantage point in the network.  Virtually every Internet application relies on the DNS, as do social engineering exploits, malware, fake AV etc.  If something bad is happening on a network the DNS is the place to see it.

DNS deployments are virtually always designed with redundancy.  DNS clients are already setup to talk to multiple DNS servers so a DNS based security system will be inherently redundant.

Better still, most Internet transactions start with a DNS query, navigating to a web site, sending an email, making a phone call, etc.  This means security exposure can be detected as early as possible.  Early detection means many exploits never even get off the ground.  No other security system is as proactive.

The DNS scales beautifully, it’s the largest distributed database in the world, hosting hundreds of millions of domain names.  There is no question it can scale to meet security challenges.

The DNS is pervasive, it’s distributed across literally every corner of the Internet and hundreds of millions of Internet resources rely on it to advertise their presence.  Today millions of exploits use the DNS to advertise malicious resources; it just makes sense to use the DNS against them to prevent them from being successful.

Because the DNS is fully distributed and it’s a relatively simple protocol a single server can process queries from tens of thousands of devices.  In aggregate, trillions of DNS queries are handled every day – no other system even comes close.  As traffic increases the DNS is beautifully suited to handle it.

“Zero Cost” protection – using the DNS to protect networks and end users does not introduce any overhead.  There is no new equipment in the network and no additional latency; “intelligent” DNS queries are processed in exactly the same way as conventional DNS queries.

Summary

There’s tremendous upside to using systems that are familiar and proven to deter security threats that are becoming more and more common. The DNS is an essential part of the Internet and there’s a tremendous opportunity to leverage its power, scope and scale in the security battle.

A major advantage of the DNS is it works in the control plane – helping set up IP transactions by providing applications with the location or identity of resources. It does not participate in any of the subsequent protocol interactions – to connect to a server and download or exchange data such as web pages, video, email etc.  Yet a single, short, DNS query can reveal a potential security threat like a malicious web site, or a bot trying to reach its command and control.  It’s an extremely effective and lightweight method of identifying existing and potential threats that does not add any overhead to DNS query processing.  There is also no additional equipment or processing required in the network.

All other network-based security solutions work in the data-plane: specialized equipment such as Deep Packet Inspection (DPI) boxes are placed in a network to observe data traffic between client devices and servers.  High performance hardware promiscuously scans every packet on a network link looking for malicious activity.  Network operators configure filters based on information contained in reputation lists or signature updates.  When a packet matches a filter it triggers additional actions to capture data such as the destination of the packet.  Interestingly the presence of such traffic is an indication that an exploit is at least partially successful.

There is another limitation of data-plane based filtering.  In most cases it’s necessary to filter based on IP addresses rather than domain names.  Although for some purposes filtering in IP addresses is adequate it is often ineffective, especially for dynamic threats where attackers change the IP address continuously to avoid detection.  Filtering based on domain names is more effective because dynamic threats can be captured.   But data plane based equipment is typically not situated in the right place in the network to take full advantage of domain-based filtering because it will not see all the DNS traffic (best case it will only see recursive requests from a caching server), and client level IP visibility is lost (recursive requests will always use the caching server IP).  It is certainly possible to situate DPI equipment in front of the DNS and set up filters to trigger on domain names but this justifies and strengthens the case for native use of the DNS for security!

The other disadvantage of data-plane based filtering is it raises privacy concerns.  End users are increasingly aware of the implications of Deep Packet Inspection and wary of its presence.  The notion of a network operator looking at all the data traffic on a network has raised objections from privacy advocates and makes mainstream users extremely nervous.  By contrast, DNS-based solutions only resolve requests for web sites; it is impossible to derive any insight into what someone does at a website when they visit.

To start with, DNS servers occupy a strategic vantage point with tremendous visibility into what’s happening on networks.  Every end user, device, and IP application uses the DNS to locate resources; legitimate applications like web browsers, VoIP, and email use it, and malicious applications use it too.  DNS queries for malicious destinations – malware sites with “drive-by” downloads, phishing sites that harvest valuable confidential information, botnet command and control, and many other things – are a telltale sign of security exposure.  They’re a clear indication an end user intends to navigate to a dangerous place, or may already be infected with malware.

In the security world early detection is highly desirable.  The sooner a threat can be detected, the less damage it can do, and the fewer resources it consumes.   A DNS query is a great leading indicator of security exposure because it precedes all other tasks for most of the interactions that take place on a network.   For instance, when someone clicks on a malicious web link the first thing their browser does is initiate a DNS query.  Similarly when a bot is activated it sends a DNS query to find its command and control server.  Even Advanced Persistent Threats signal their presence with DNS queries.

Although there are other methods of detecting these kinds of threats DNS servers are the best early warning system because they see potential security threats before anything else in the network.  It’s even possible to move from a reactive, to a proactive, security model where end users are prevented from going to malicious destinations altogether so their machines don’t get infected in the first place.  Contrast this with today when users get infected, and then rely on client software to discover the infection, hopefully before any real damage is done.

There’s a great opportunity to leverage the strategic vantage point of the DNS and introduce a layer of security in networks that is a far better match for today’s dynamic threats.

It’s actually a straightforward proposition: make caching DNS servers smarter so they can identify malicious Internet destinations.  Dynamically updating caching servers with the latest threat information from “reputation lists” makes them more intelligent.  When an Intelligent DNS server sees a request for a web destination that matches a cached malicious destination it can provide a safer more “intelligent” answer based on policies set by a network operator.  For instance depending on the type of threat the server could:

• Log the request if the threat is not serious or not well understood (to capture data for further analysis), or
• Provide the IP address of a “safe” website when a user requests a malicious destination, this website could offer specific guidance on the threat and link to other resources
• Provide the IP address of a sinkhole where traffic can be analyzed, or a blackhole where it is dropped

Other policies are possible based on a network operators needs.

Providing an intelligent answer to a DNS query does not require any additional processing of the query.  The server does exactly the same amount of work whether an answer is “intelligent” or not.  It just does a normal look-up on the domain name and pulls whatever answer is cached in memory.   Performance (queries per second) and latency (the time to respond to a query) of the server are not affected.  There is a small amount of work to receive and load reputation list updates, but this can be performed when the server is not responding to queries, so it does not affect the primary function of the server.

Making DNS servers more intelligent can enable a new layer of highly agile security defenses.   A familiar, proven system can be inducted into the security battle and have a substantial impact no significant overhead.

To some extent this problem is not a surprise.  Client software was originally developed in an era when exploits propagated far more slowly (remember infected floppy disks?) so it wasn’t necessary to update signatures continuously.  Now attackers have all the resources of the Internet at their disposal – and use them.  Exploits can be morphed and redeployed in seconds.

The problem is not an inherent inability of client software to detect dynamic threats.  It’s human factors or technical constraints preventing the very latest signatures and algorithms from always being installed on every machine.  Security vendors have done a remarkable job of identifying and tracking even the most agile attacks, but the value of their efforts is substantially diminished if people are unwilling, or unable, to keep their client software current.

Agile attacks require agile defenses.  Since virtually every threat today originates in the network, moving protections into the network is a sensible thing to do.  Because threats operate at Internet scale security solutions need to scale as well.  Aggregation is a natural benefit of moving security protections into the network. A few systems, strategically situated, can provide effective protection for potentially millions of hosts.  Fewer systems means updating threat information is simpler and far more reliable which greatly improves agility and responsiveness to a rapidly changing threat landscape.   Consumers, network administrators and other IT staff get relief too, and the burden on hosts can be reduced, especially as network based protections become pervasive.

The idea of network based security is not new, it’s been happening since the Internet was first commercialized and firewalls arrived on the scene to protect corporate networks from outside intruders.  But what’s needed now are solutions that are as dynamic, adaptable and scalable as the threats they are designed to deter.  The question to ask isn’t whether additional security protections should be deployed in the network, but how.

• Make sure your primary Authoritative server is not accessible by anything other than your secondary Authoritative servers. In particular, the primary should not be accessible via UDP/TCP port 53 from anywhere other than the secondaries.  If a secondary is compromised, you can quickly take it down and rebuild it, because your authoritative DNS data is still secure.

• Implement query-rate limiting on network devices (load balancers, firewalls) in front of your secondary Authoritative servers.

• It might also be worth considering approaches for introducing a redundant master authoritative server.  Active-standby configuration have limitations with only a single primary authoritative nameserver accepting zone changes and transmitting them to secondary servers across their network at any one time, especially for voice and real-time applications.  Existing approaches for handling failure of a master add complexity and often introduce synchronization problems as well as unacceptable and unpredictable delay,  all of which can have a negative impact on application performance.

In some cases backing up or supplementing internally managed servers with hosted services may make sense (Nominum offers SKYE Authority). This provides additional live capacity to maintain DNS service for handling unusual loads or if you are attacked.  Look for a globally distributed network that is actively monitored for any unusual traffic.

• Place recursive DNS servers close to customer access networks – this minimizes network latency for DNS queries, and helps to reduce the perceived response times from websites.  Complex web pages can generate 20 or more DNS queries, often sequentially, so fast DNS response has a significant impact on overall page load times.
• Allow plenty of capacity. A maximum CPU load of 20% for the DNS process and 30% overall (including management agents and other things that may be running) at peak time are good targets to ensure ample headroom. Remember that monitoring systems such as Cacti give a short-term average, usually over several minutes, and DNS traffic spikes may be hidden. Plenty of headroom means that these spikes can be handled, and allows “breathing space” if an attack starts or something on the Internet creates an unusual surge in traffic.
• Block UDP and TCP port 53 access to your servers from outside your network. There is no need to provide DNS service to the rest of the Internet (and all the DDoS sources out there!). Optionally, using the distributed Anycast system described above, each DNS server only needs to be exposed to “local” users. However, if this is done, care must be taken to ensure that there are accessible servers in the event that the local one fails.
• If you site multiple DNS servers together, use a suitable load balancer.  The Anycast system is not capable of accurately load-balancing between adjacent servers. However, most load balancers and switches are capable of advertising Anycast routes, and withdrawing them when available server capacity drops below a defined threshold. Remember the traffic is mostly UDP. Load balancers are very important tools, and can help rate-limit when an attack occurs, but they do introduce another potential failure point.
• An option worth considering is hosted services (Nominum offers Skye Resolution) to provide additional live or backup capacity to maintain caching DNS service if you are attacked.  Be sure to confirm the vendor has a globally distributed network to minimize the likelihood a DDOS attack against your DNS servers affects the hosted service at the same time. Hosted services should also be actively monitored for unusual traffic.
• Before the DDOS attack happens, make sure your monitoring and alarms are up to the job. You need to know very quickly when server load has increased. Have trace tools ready to look at query source addresses for unusual patterns. Nominum iView is a valuable ally here, as it is specifically designed to monitor and control DNS systems.
• Make sure your organization and response procedures are well understood. Often, when a major outage or attack occurs, the biggest reason for delayed response is confusion: who to call, what steps to take? In many cases, the attack is over before the attacked organization has started analyzing it. At minimum be ready to capture relevant data during an attack so you  have something to analyse after the event.
• Document what you find out after the event. Even if you cannot analyse the event while it is happening, there is still great value in a post-mortem investigation, as it will help you defend better and respond more quickly next time.

Over a few posts we’ll cover 13 simple techniques to ensure good service. They’re relevant for service provider networks and many are applicable to Enterprises as well.

Below is our first suggested technique, which is how Anycast can be used to make your caching DNS more robust.

Anycast is a simple way to advertise the same IP address for all DNS servers – this simplifies customer provisioning, and means that DNS queries will automatically be re-routed if a server fails. A DDoS attack from within the network will only affect the “nearest” server(s) to the attack source(s), so disruption is minimized. 

Anycast can be implemented on a server with a simple script, which performs a DNS health check and then advertises a /32 route to the relevant routers. Routers propagate this route to the network edge using the relevant routing protocol. As /32 routes take precedence over larger subnets, this ensures that all DNS queries from the local network edge are routed to the “local” DNS server. 

If the DNS software fails, the script health check will withdraw the route. If the server fails or becomes unreachable, the adjacent router will age the route out. Some tuning of route aging on the routers may be needed. In both cases, there is already a route to the “next nearest” DNS server and queries will flow to it. 

The process of route withdrawal can be made shorter than the client’s “no DNS response” failover time, so clients need never fail over to a secondary DNS server address. Recovery is, of course, automatic. The Anycast address is configured as a VIP on each server. The real address of each server should not respond to UDP/TCP 53, or should be protected from this traffic by adjacent network elements. This ensures that attempts to DDOS the servers from off-net, or by using the real addresses, will fail.

One of the stresses that will be imposed on the DNS during the transition to IPv6 is an increase in query volume. In fact it’s already happening. The default behavior of MacOS X is to request both A and AAAA records even when the clients making the queries aren’t provisioned on an IPv6 network! In many cases it is believed to be a major source of IPv6 DNS traffic, measurements show the query volume approximates MacOS X adoption.

Windows 7 and Vista will also query for both AAAA and A records if the OS sees a publicly routable (non-local link) IPv6 address configured. As more and more clients are transitioned to IPv6, operating system behaviors like this will cause query volumes to grow rapidly since from the standpoint of the DNS, adding a new IPv6 address will be almost equivalent to adding a new host. Because these operating systems dominate the market the aggregate effect will be a noticeable bump in query volume.
Since the shelves at IANA are now bare, Service Providers have to accept the fact that IPv4 addresses are officially scarce and thus have tangible value; they’re no longer “free”. There may come a day when dual stack deployments for new subscribers will not be economical, especially for consumer services, due to the “cost” of an IPv4 address. This is causing network operators to consider technologies such as DNS64/NAT64 to preserve precious IPv4 addresses. However this also results in a corresponding increase in DNS queries, since IPv6 hosts will query a caching server for a AAAA record and when it does not exist (often for now) the caching server will re-query for an A record. Bottom line: regardless of which transition technologies predominate DNS query volumes will increase.

DNS queries for both A and AAAA records could continue long into the future, essentially until the last IPv4 addresses are retired – which could be a long time. It’s possible when a significant majority of web content is migrated to IPv6 operating systems could be modified again to be biased toward IPv6 (only issuing AAAA queries unless an IPv6 record is not found) but it appears as though we are a ways away from that!

The good news is ensuring critical systems like the DNS are truly ready for the transition to IPv6 is straightforward. The most important task is ensuring the DNS infrastructure is dimensioned to account for the additional load. The primary variable that needs to be considered is processor utilization, with Best Practices calling for average utilization of around 20%. This provides headroom in the event of a DoS attack, or other network event, that spikes query volume (DoS attacks have been measured that increase query volume as much as 800%).

Network operators can make judgment calls about how “hot” they run their servers. When limits are reached it’s only a matter of deploying incremental servers and redistributing clients. The task of staying ahead of server performance requirements is far simpler with extensive query statistics and detailed IPv6 metrics so query trends can be understood. If detailed data is available from servers across the network, monitoring and benchmarking can be highly automated and potential problems dealt with proactively. Monitoring performance is valuable even in the absence of the IPv6 transition since the underlying trend of continuous growth in DNS traffic is unlikely to change.

Another DNS server resource worth paying attention to is memory. Empirical evidence thus far suggests IPv6 has had little impact on memory but since IPv6 addresses are 4 times larger, AAAA records require more storage capacity. As more and more web servers are provisioned on IPv6 the impact will be felt since servers will have to store both record types. As mentioned the availability of detailed statistics from DNS servers will give network operators visibility into IPv6 query trends so DNS infrastructure can be ready.
There’s one last thing on the check list. If DNS64 /NAT64 is used it is also necessary to configure an IPv6 interface in DNS servers, since the clients will only have IPv6 connectivity. There have been cases where the IPv6 protocol stack has an impact on server performance so it’s worth testing to see if an OS or HW upgrade is needed. A similar impact has been observed with load balancers so again prudence suggests some basic performance testing to ensure availability levels can be maintained, even under load.

By late 2009 wireline and wireless broadband subscriptions crossed 1 billion globally, but most connections are in the developed world, with the developing world far behind. Fortunately that is starting to change. Brazil is executing on an ambitious Plan Nacional de Banda Larga (PNBL or National Broadband Plan) to bridge the digital divide and meet the following goals:

• reduce social and regional inequality,
• create jobs and income,
• improve government services,
• increase Brazil’s overall competitive position

An action plan was created for PNBL to address major challenges that had been identified:

• Broadband in Brazil was priced far higher as a percentage of per capita income as compared to other developing countries. Regulations and incentives were created to increase competition and lower prices. In fact taxes on items such as modems were lowered to help reduce costs.
• Many regions of Brazil were underserved with broadband services and connection speeds were far below world averages in most of the country. A plan was developed to build a nationwide fiber optic network and Telebras was selected to construct it.

As part of the plan, policies for technology development were proposed to lay the groundwork for a national industry in telecoms equipment. The Brazilian Development Bank (BNDES) also provided financing incentives for digital cities.

The PNBL is already showing results. The first city, San Antonio, in the Goias state in central Brazil, has been connected to Telebras’ high speed backbone. In exchange for high speed connectivity, local providers offer reduced rate broadband or provision a higher speed connection without increasing the cost. More than 300 more municipalities are targeted for connection by the end of 2011, and more than 4,200 by 2014. The president has set a goal of increasing broadband penetration from 27% of households currently, to 70% of households by 2014. In all more than $10 billion will be spend from both federal and private sources.

Nominum was proud to play a role in the Brazilian national network. Starting with early involvement in the planning phase, followed by intensive consultation throughout the design and implementation, the new national network was contructed with a state of the art DNS to match the high speed fiber backbone. Advanced services will help protect Internet users from malware and other threats and because they are based in the network, end users do not have to install or maintain specialized client software.

In this interview with Telesemana Paul discusses the importance of layered security and the kinds of exposure Internet users face.

RCRWireless News talks with Paul about the latest Internet attacks and how they can be addressed.

They bring friends, kids and occasionally dogs. Everyone brings an appetite. This year’s picnic was held at our corporate headquarters in Redwood City. The mouth-watering scent of barbecue, the lively sounds of bluegrass (performed “impromptu” by 3 members of our Engineering team) and a handful of family activities made the day one to remember.

Nominum continues to grow and evolve; there are always new faces, and yet our spirit remains strong. We’re here to do what we do best, and have some fun along the way!

Stay tuned for additional posts from our team. We’ll keep it light & interesting, and we always enjoy your feedback!

What attracted you to Nominum?

Nominum is a major player in the networking world with incredible product and technology assets.  Hundreds of millions of users depend on us for DNS every day, making us a force in most markets and geographies. Our unparalleled market success has been fueled by some of the world’s brightest DNS minds, including our Chairman, Paul Mockapetris the inventor of the DNS. Our exceptional engineering team is not only steeped in the history of the Internet but also has a deep understanding of how networks work and how to make them better.  They’re committed to innovating to deliver powerful products that will reshape the future of the Internet and keep Nominum ahead of the pack.

What are your top priorities?

First and foremost, is to engage our customers and make them an integral part of our understanding of how best to do business with them. Second, is to continue our rapid worldwide expansion and record growth. Third, is to share more of Nominum’s deep DNS knowledge and thought leadership through a diverse set of channels and tools such as our newly launched [names & numbers] blog.

What does it mean to you to be a “customer-centric CEO”?

Everything I’ve accomplished in business I owe to customers buying from and trusting in me.  As a result, I respond in kind.  That means listening to and being responsive to their needs.  It means treating them with respect and working within their constraints, not asking them to bend to ours.  It’s not only about providing great products; it’s also about providing a great commercial experience.

What do you see as Nominum’s role in the Internet?

No one disputes  DNS is critical.  That’s why we’ve invested in transforming it to make the Internet better – more secure, more available and easier to use for over 500 million users every day.  For network operators, we’ve created a suite of products that make it simpler to build and run networks – with far better visibility into what’s really happening and with far friendlier interfaces like our new mobile app.

How would you like customers to describe Nominum?

Our customers universally tell us we have the best DNS products in the world.  But to me, that’s only the first part of the answer.  By far, the more important part is for them to also say we are the best company they’ve ever done business with.  I’m confident our new management team will make that happen.