-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 1/24/2015 7:58 AM, Stephane Bortzmeyer wrote:
> On Sat, Jan 24, 2015 at 07:29:27AM -0800, Paul Ferguson > <fergdawgs...@mykolab.com> wrote a message of 47 lines which said: > >> I have not found & delved into the MCB documents in depth, but >> from the cursory description, this sound like nothing more than >> Passive DNS monitoring, > > No, MoreCowBell has two parts, passive monitoring *and* active > search by dictionary attacks through open resolvers (to hide the > true source) > <http://s1.lemde.fr/mmpub/edt/zip/20150123/194433/assets/images/nsa/3-534x401.jpg>, > > last two bullets. > The last two bullets of that slide say: * (S//REL) Performs DNS lookups and HTTP requests against targets on regular intervals * (S//REL) Used to track changes to DNS resolution as well as up/down status of websites Again, I have not read any additional documents in detail (please feel free to provide a pointer [English language, please?]), but the first bullet indicates nothing more than DNS queries and HTTP requests, perhaps to track HTTP header status, referrers, user agents (UA), etc. The second bullet indicates "usual" pDNS behavior ("Used to track changes to DNS resolution...") and up/down status of websites. Please provide a pointer to where dictionary attacks are being used, and for what purposes. If they are indeed doing that, then I would agree that this activity must be seen as adversarial in nature, like any other attacker. >> pDNS does nothing more than track historical resolution data >> between recursive and authoritative DNS servers, and in fact does >> *not* track queries made between stub/end-systems and recursive >> resolvers, so there is no tracking of *who* made any specific DNS >> query. > > Known passive DNS systems like DNSDB ou PassiveDNS.cn do not keep > track of the source IP address (or of the query), for privacy (and > costs) reasons but nothing says that MoreCowBell is so > weel-behaved. > > I am *very* familiar with pDNS, thanks. :-) - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2 "I am tormented with an everlasting itch for things remote. I love to sail forbidden seas." - Herman Melville -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlTDw2sACgkQKJasdVTchbL5SQD/dInb0KghtKt6eiVHZ4pHSrRU I192AEy9WMSMnAbhAcMA/2lwNxSlgFLB1xncMaIUxVlWgW1ygbrh8U8TahEqvaka =Hj1v -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
