[Dshield] Msft Research

Josh Tolley josh at raintreeinc.com
Thu Aug 18 15:46:10 GMT 2005

Jody J. Hietpas wrote:
> I've been wondering how long the HoneyMonkey would be effective for them.  When their list of monkeys becomes known, it will severely limit its effectiveness.  We have already had a discussion about mapping the DShield sensors by sending crafted packets around the net to see what ends up in the reports. ( http://www.usenix.org/events/sec05/tech/bethencourt/bethencourt_html/ )  I'm guessing that we are spread over a much wider and more diverse section of the Internet than what Microsoft could use to hide their Monkeys.  Isn't it just a matter of time before the nastier exploits (the ones they really need to find) are coded to evade the Monkeys?

There's a difference, though. Provided Microsoft at least tries to hide 
its sources (that is, not having every honeymonkey probe come from 
research.microsoft.com), they're pretty safe. Their results aren't 
public, and their techniques aren't public, so it would take a lot of 
inside knowledge to identify a client or a scan or a connection or 
whatever as coming from their honeymonkeys. With DShield, you simply 
look up the IP you're interested in and you can see time, source IP 
address, and port. Provided you keep decent records, scan enough of the 
internet, and spend some time correlating, you can theoretically map out 
all DShield's sensors. But unless Microsoft goes public with quite a lot 
of detail, it's going to be hard to map them.

Then again, if they've already stated that all their honeymonkeys come 
from research.microsoft.com or somewhere else and I just missed the 
memo, that all becomes moot.

Josh Tolley
Raintree Systems, Inc.
Office Phone: (801) 293-3090
Corporate Office: (800) 333-1033

More information about the list mailing list