A powerful system for secretly monitoring web and DNS traffic, called MORECOWBELL, allows the US National Security Agency to conduct intensive monitoring of sites of operative interest and to even create a complete picture of what is happening on the Internet. That is revealed in top-secret documents, published by the Associated Whistleblowing Press.
The German technical edition heise.de published an analysis of the system by Christian Grothoff, Matthias Wachs, Monica Ermert, Jacob Appelbaum and Laura Poitras – the team that participates in the publication of NSA’s secret files, leaked by Edward Snowden.
NSA has deployed monitoring servers in several countries across the public Internet – Malaysia, Germany, Denmark and 13 others. It uses camouflaged dedicated infrastructure which is legal and cannot be directly linked with the Agency. These are probably servers of friendly companies and / or directly hacked servers and client computers. Bulgaria is not mentioned as a country where there is use of such resources of the Agency.
DNS is a basic protocol on the Internet, which allows the connection of names of websites with their IP addresses. Its monitoring provides key information about what is happening in the global network. The MORECOWBELL system is passive. It sets rules for surveillance – e.g. of a website, and it starts to monitor it every 10-15 minutes, but not later than 30 minutes, generating fake user traffic from accidental hosts that looks like coming from a browser. It checks whether the DNS queries point to the same IP address and if anything changes in the DNS and / or the HTTP protocol, or both, an alarm is generated.
Map of the “battlefield” or a global view of the internet
Tracking DNS with great intensity enables the system to understand what is happening with friendly and unfriendly sites; who are they trying to hack or who is trying to hide by changing their location. It detects changes which are used to uncover attacks on DNS (such as DNS flood, DNS poisoning, DNS smurf).
This way, the US Agency creates an almost complete picture of the “Internet battlefield” as DNS is one of the main attacked services.
The published information does not make clear whether the NSA is keeping records, but in the presence of such, it can create a tree of changes (as in Internet Archive), showing who, when and what has changed in any site.
According to experts, whom Bivol consulted, with an appropriate scaling such a system can give a global overview of the status of the Internet, or “write the history of the Internet around the world.” The system sees who is doing what, where, with what dynamics, who is attacked and who is hacked, how fast the business is growing and where.
This post is also available in: Bulgarian