The US Department of Defense's Advanced Research Projects Agency has awarded a US$1.4 million contract for an overhaul of the Internet Domain Name System that will improve its security and make it less prone to the fakery known as "spoofing."
The contract, to be split between Network Associates (NETA) and the Internet Software Consortium (ISC), was announced Tuesday during the national conference of the Internet Engineering Task Force.
"At the moment, someone who logs onto Bank of America's online banking for the first time could easily be spoofed into talking to someone else's computer," said Paul Vixie, chairman and chief technology officer for the Internet Software Consortium, which provides the most popular software used to run domain servers.
"It's a bloody wonder that no exploits of this [weakness] have been publicized," Vixie said via email.
Many Web sites are not what they appear to be. The most famous case of spoofing occurred when domain-name activist Eugene Kashpureff caused his own site to replace that of Network Solutions, the company that manages InterNIC, the registry for the most popular top-level domains on the Net, including .com and .org.
The Domain Name System, or DNS, translates domain names into numerical addresses. The process of retrieving pages from a Web site is similar to searching for a name and number in a phone book. When users type a Web address such as www.ibm.com into their Web browser, the name is referenced in a database located on the nearest domain-name server, which typically runs on ISC software, called BIND. The domain-name server locates the site's numerical address and delivers the requested page to the user's browser.
An intruder can exploit a vulnerability in the system by substituting another numerical site address, thereby routing traffic to a different site. If it's an effective spoof of the real site, visitors could be persuaded to surrender valuable information, such as credit card numbers or bank account data.
"Firewalls can trap some of these attacks, but having security built into the DNS will directly prevent many sources of Internet attacks," said Terry Benzel, director of TIS Labs, the research arm of Network Associates.
The organizations will work to add authentication and protection to a domain standard overseen by the engineering task force, which facilitates the development of evolving Internet standards. Known as domain name system-security extensions, they will effectively ensure that Web sites are really what they claim to be.
Two other security vendors, RSA and Cylink, previously contributed patented security algorithms to add security to BIND.
Vixie said the RSA and Cylink contributions "were and are necessary components of the whole system." The new development project will constitute a massive upgrade to the entirety of the domain system software. It will be released in about a year, Vixie said.
