[Dshield] Msft Research
josh at raintreeinc.com
Thu Aug 18 15:46:10 GMT 2005
Jody J. Hietpas wrote:
> I've been wondering how long the HoneyMonkey would be effective for them. When their list of monkeys becomes known, it will severely limit its effectiveness. We have already had a discussion about mapping the DShield sensors by sending crafted packets around the net to see what ends up in the reports. ( http://www.usenix.org/events/sec05/tech/bethencourt/bethencourt_html/ ) I'm guessing that we are spread over a much wider and more diverse section of the Internet than what Microsoft could use to hide their Monkeys. Isn't it just a matter of time before the nastier exploits (the ones they really need to find) are coded to evade the Monkeys?
There's a difference, though. Provided Microsoft at least tries to hide
its sources (that is, not having every honeymonkey probe come from
research.microsoft.com), they're pretty safe. Their results aren't
public, and their techniques aren't public, so it would take a lot of
inside knowledge to identify a client or a scan or a connection or
whatever as coming from their honeymonkeys. With DShield, you simply
look up the IP you're interested in and you can see time, source IP
address, and port. Provided you keep decent records, scan enough of the
internet, and spend some time correlating, you can theoretically map out
all DShield's sensors. But unless Microsoft goes public with quite a lot
of detail, it's going to be hard to map them.
Then again, if they've already stated that all their honeymonkeys come
from research.microsoft.com or somewhere else and I just missed the
memo, that all becomes moot.
Raintree Systems, Inc.
Office Phone: (801) 293-3090
Corporate Office: (800) 333-1033
More information about the list