Your Source for Leaks Around the World!

MORECOWBELL: NSA’s Covert DNS Monitoring System

In Archive, ICANN, Internet, NSA, NSA Files, Surveillance on February 15, 2015 at 7:01 PM



LeMonde (Rough Translation via Google) h/t Jacob Appelbaum/Laura Poitras:

One and a half after the beginning of the revelations of Edward Snowden was believed to know everything about the massive Internet surveillance by the US intelligence agency, the famous National Security Agency (NSA). Gold discoveries continue.

Le Monde and the German website Heise could see a new batch of confidential documents showing that the NSA tackles massive and systematic way DNS (Domain Name System), which manages the global names in directories.

On the Internet, almost everything begins with a request to a domain name. DNS servers, “switching stations” indispensable, receive connection requests as addresses formulated in language understandable by a human (eg “”), then they find the Internet (IP) number corresponding machine-readable (195,154,120,129).

ISPs and large organizations have their own internal DNS servers, but to ensure that the names are valid, they must remain in constant contact with the great “root servers” at the top of the pyramid, which centralize directories to the world. There are now thirteen root server groups. They are managed by twelve organizations, including nine Americans (the Department of Defense, NASA, private companies, universities …).

Furthermore, the allocation and sale of domain names are overseen by the Internet Corporation for Assigned Names and Numbers (ICANN), an association established in California and is under the supervision of the US Department of Commerce.

IP numbers “in figures”, corresponding to the ‘in words’ addresses are managed by the Internet Assigned Numbers Authority (IANA), an organization linked to ICANN and works in conjunction with the federal agency NTIA (National Telecom and Information Administration). Note that the NSA officially working with NTIA, on cryptography.

The Government of the United States announced that it wanted to reduce its role in ICANN before the end of 2015, but the terms of the transfer of power to be defined.

Finally, for organizations that do not want or can not afford their own internal DNS server, there is free Internet intermediaries servers and open access.

Again, the main belong to US companies like Google, thereby collecting information on origin and destination of the masses of Internet connections worldwide. Systematic monitoring of the DNS, open system, so do not pose a complex theoretical problems, but it requires human and material resources.

To this already very American landscape, add the NSA. The documents found by the German website Heise and Le Monde describe a comprehensive program specifically devoted to spying the domain name system, called “MORECOWBELL”.

Originally, “More Cow Bells” is the title of a musical sketch from 2000, released by the weekly satirical show “Saturday Night Live” aired on US television network NBC. Thereafter, the sketch became worship, especially on the Web. By choosing this name, NSA officials may have wanted to show that they had of humor, and they appreciated the young and trendy pop culture.

MORECOWBELL has several functions.
It is primarily a tool for “passive surveillance”. In this context, it is used to map the internal networks of large companies, administrations and other organizations.

To spy on the DNS servers, the NSA sends continuous bursts of connection requests. It uses an advanced tool called “PACKAGEDGOODS“, an international network of clandestine computers that apparently have no connection with the US government. Machines designed specifically large DNS servers are installed, including Malaysia, Germany and Denmark. In total, they interrogate several thousand times per hour, 24 hours 24. The results are sent to the headquarters of the NSA every fifteen to thirty minutes.

Connection requests are made with fictitious addresses plausible. These are made of keywords lists frequently appearing in the internal use addresses of Web servers and email, databases, etc. – Usually barbarous names, impossible to guess right, and are not published anywhere.

Thus, step by step, MORECOWBELL manages to reconstruct a fairly comprehensive directory of valid addresses a corporate network or administration. Then, for each address, it will look for the corresponding IP number. Some servers also facilitate unintentionally the task of the NSA. When they receive a request for an address that does not exist, they return an error message with two suggestions – the two closest valid addresses, in alphabetical order … The constitution of the “Directory” becomes rather easy . Contacted by Heise, NSA replied that it was “not comment on specific activities alleged in intelligence abroad”.

Furthermore, the documents revealed by Edward Snowden in 2013 showed that the NSA intercepts direct Internet traffic flowing on some international cables, and secretly involved in the communication nodes management in the private sector. In the flood of trivial DNS queries to a business ( MORECOWBELL will be able to identify those that seem most intriguing (eg “”) and store to the exploit later.

According to the new documents consulted by Le Monde, MORECOWBELL used primarily to monitor in near real time “websites of foreign governments, terrorists and extremist forums, malware download sites …”

Monitoring is even US sites “in the context of a request for assistance from the Department of Homeland Security.” The aim is to defend against attack from abroad. More generally, the NSA is thus in possession of a mass “metadata” techniques on the overall Internet traffic, it can interbreed with other types of metadata collected by its other monitoring programs: who communicates with whom, when, how often, etc.

MORECOWBELL also used to prepare Offensive NSA to penetrate or disrupt a server or a foreign network. For example, it will detect a service created by a company for the exclusive use of its employees, but that is actually accessible from the outside because it was poorly configured: for an experienced hacker, equipped with attack software, the service becomes a gateway to the entire corporate network, which can be hacked in various ways.

Finally, when an attack is triggered, querying DNS servers will be used to evaluate its effectiveness in real time. With MORECOWBELL, NSA know whether the contested services continue to run or if it has been cut. If it has been moved to another server as a protective measure, it will spot it again, which will resume the attack.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: