Slashdot Mirror
The Reverse Challenge: Winners Announced
asqui writes: "The Reverse Challenge was a contest from The Honeynet Project to essentially reverse engineer a binary captured in the wild running on a compromised honeypot. The contest ran during May of this year and the submissions have been judged and the winners announced. Dion Mendel took first place with 43.4 points out of a possible 50. The binary turned out to be a tool for performing remote DoS attacks from compromised hosts, with its instructions being cunningly supplied via the lesser known IP protocol 11. This binary is currently being used in the wild but there is little reported activity, probably because sysadmins are focused on the other more dominant protocols."
You have just caused an evil-grin to appear on the faces of many trojan writers. They now have another 'cunning' trick to add to their arsenal.
Quickly!!! Arrest the winners!!! They have obviously violated the DMCA!!!
Don't anthropomorphize computers, they don't like it.
...for saving the honeypot, your own poohbear doll
Jesus saves souls and redeems them for valuable cash prizes
This really is fascinating stuff. Note that most of the entrants used the disassembler known as IDA, available here. There was also much discussion of this contest recently on various security-related mailing lists.
Hopefully they will be doing a similar contest again next year. In the meantime, I guess we'll just have the Scan of the Month to analyse.
I don't understand. What is IP protocol 11?
A samrt Sysadmin knows to check slashdot.org once per day to see what irreposnible hints you are giving to script kiddies..
Of course without these slashdot.org posts I would be out of a job..so I guess hey bring on more slashdot.org posts!
Don't Tread on OpenSource
How can we tell if some of the contestants were not the same group of persons using that binary?
:)
:)
If this was the case then reverse engineering it might be pretty straight forward.
Just wonder, not accusation made.
*checks /etc/protocols* What the hell is protocol 11?
Do routers even route protocol 11? Would it make it to its DoS destination? Interesting. Per usual slashdot behaviour, I haven't read the articles yet, but I hope they discuss this a little more.
Hmm.......
!skcor todhsalS !tsetnoC esreveR eht si ti esuaceb esrever ni tnemmoc a gnivael ma I
Actually, the winner cheated. They used a 2. Oh man, i kill myself.
The results link posted above (http://project.honeynet.org/reverse/results/) is wonderfully tortured HTML ... with
the pleasing side-effect of triggering
a mouseover color change for over half
the text in the opening paragraph when
rendered with Mozilla.
Hey, I found it interesting...
What does protocol do? Would it be harmful if I block it off?
How may I do that with ipchains and iptables?
In response to the people criticizing the information about the protocol used...
Now someone can't even mention general characteristics of a hack without being criticized for giving information to "script kiddies" or "trojan writers"?
We know that security through obscurity is a poor excuse. I'd rather have this stuff out in the open so I and others can deal with it, than have it known only to a few...
Pooh has got his head stuck in the honeypot!
I have been pwned because my
look at it here.
My life in the land of the rising sun.
What is the use of protocol 11?
Would it be harmful if I just block it off?
How may I do the blocking with ipchains and iptables?
Thanks
This is great. From the source: /*
* dns queries:
* SOA queries for
* com
* net
* de malformed packet
* edu
* org
* usc.edu
All of these dumbass machines (mostly in Australia) kept hitting my primaries with questions for those! I couldn't figure it out, and no amount of searching on Usenet turned up any help. Now at least I know it's due to some idiot worm drilling me.
Now I get to convert my IP addresses to hex and see what else is up there in that table. Blah.
Feb 22 09:16:46 dns1 named[58]: denied query from [203.134.113.201].4763 for "usc.edu" IN
Did anyone else see this?
http://www.ietf.org/rfc/rfc741.txt
The important design objectives of the Network Voice Protocol (NVP) are:
- Recovery of loss of any message without catastrophic effects. Therefore all answers have to be unambiguous, in the sense that it must be clear to which inquiry a reply refers.
- Design such that no system can tie up the resources of another system unnecessarily.
- Avoidance of end-to-end retransmission.
- Separation of control signals from data traffic.
- Separation of vocoding-dependent parts from vocoding-independent parts.
- Adaptation to the dynamic network performance.
- Optimal performance, i.e. guaranteed required bandwidth, and minimized maximum delay.
- Independence from lower level protocols.
From the bonus questions:
Summary
The program was written in 2000, being inspired by the media attention of the trinoo and TFN DDOS tools. The programmer is most likely young with limited personal resources. The programmer has a low skill level and resorts to the "cut and paste" style of programming. The programmer possibly resides in Europe and socialises with other blackhat style programmers. The programmer is male, overweight and has no social life other than his computer. He wears glasses and was bullied throughout school. He uses computers as a way of getting back at the world which has maligned him. You decide where reality steps aside and Hollywood takes over.
"This protocol goes to eleven."
"And like that
I've been reading this site for the last few years. In the last few days, I realized that I only read it out of habit, and I've been frantically trying to find any reason to continue reading. I want some reason to justify my behaviour all this time -- something to prove that I haven't been wasting my time. I've found no reason. It seems to me that all the technically capable people have long ago left or stopped posting, and all that remain are a bunch of dumb-ass losers with no real skills or insight.
The stories where never the reason to read this site -- CmdrTaco and the rest are not stupid, but they are pretty damned smug, not nearly as smart as they think they are, and simply don't have anything very interesting to say. Their stories were interesting only as long as they were able to generate interesting replies. They no longer do. I don't know if SlashDot has simply imploded on its own popularity, or if abuses of the Moderation system have driven off the sensible posters, or if my own standards have changed. But I do know I'm no longer interested in reading anything on this site.
See you all on the dark side.
What a fabulous troll your post was.... or how fabulously stupid you are. It's impossible to tell.
Well, what I've pulled from websites and the RFC:
/etc/protocols . The protocol specification is in the header of the 20 byte beginning part of the IPv4 datagram. It's a 8 bit field.
1:It's a protocol. In IP speak, It's under the same secion that TCP(6), UDP(17), ICMP(1), and others fit under. On unix boxen, it can be found in
2: It was created specifically for voice transfers, along with "telephone emulation" (just the way you interface with the tele). I believe that many, if not all, webphones use this IP protocol. I also think that GSM and US telephones(that use IP networks) use this protocol to transfer voice data.
Some were asking how this could flood your system.... Well, what's the difference TCP and UDP? Or how about ping floods??? Well, it's all data being sent to you. Doesnt matter what 8 bit field is switched... It's still garbage data (if you didnt request it). It fills up your receving connection.
Hopefully I've explained what this is. I'll probably be modded redundant as somebody probably wrote a better "explanation" while I wrote mine. Oh well.
While trolling takes on many forms, many of them merely being nuisances (crapflooding, goat links, page widening, etc) you'll find the vast majority of trolling occurring in posts similar to posts such as your original. On Slashdot, well-thought out and reasoned posts have become indistinguishable from trolls. This is made all the more obvious by the dimness of the moderators who would mod you down -1 in a heartbeat if not for the length of your post (as if that were the measure of an argument).
I too am a troll, much along the lines as you (though perhaps you don't realize yourself as such yet). I used to post, IMO, well argued posts and was consistently modded down by the Slashdot groupthink moderators. This is not to say that I didn't eventually hit the karma cap, but that along the way it was painfully obvious that my pro-Windows, anti-GPL opinion was not tolerated here.
Upon the realization of that I had my epiphany that pearls are not to be given to swine (this seems to be the same satori experience you are having now). Pigs deserve slop, and now that is all they get from me.
In any case, I'm not one of the nuisance trolls as I listed above, but one of the provocative trolls such as yourself (please do not take offense, this is not an insult as it may first appear). The Slashdot feeding frenzy that follows any post that attempts to support Microsoft or attack Linux or posit Creationism is a wondrous thing to watch, much like a thunderstorm or a supernova. The one difference is that you, the troll, have total control over the experience, much like a god who views his masterpiece from another dimension.
This is not to say that Slashdot is void of intellectual content. On the contrary, you'll find quite a bit of interesting information in the Science and Developer sections. You will find *no* intellectual content in the YRO section.
It's a travesty that a good idea like Slashdot, allowing users to create their own content, has succumbed to the mindless pursuit of mental masturbation of FSF zealots.
So while this may be the end of your Slashdot infancy, I think you will find your maturation into a Slashdot provocateur quite fulfilling and fun. Isn't that why you joined the technology revolution in the first place?
Oh The Irony Of It All
/. effect..... Do I win?
tool for performing remote DoS attacks
So here's my question... since everybody is calling this protocol NVP..
Most machines are not configured to handle NVP. Windows, I don't even know if it has such support. So why did the writer choose NVP? Who is listening to it?
Or is it more correct to say that the writer simply happened to tag his IP packets with #11 as the protocol, which just HAPPENS to be NVP? His implementation may really have nothing to do with NVP except that it uses the same protocol #.
Of course, the source has been DoSed (or slashdotted, however you want to put it) so I can't really look at it.
I participated in the contest, and to answer a few questions:
1) Protocol 11 is used in this tool simply as a messaging protocol. No attempt was made by the author to adhere to the published NVP RFC. The author simply sticks 11 in the protocol field of the IP header. Think of each packet as a UDP packet, no handshake, etc...
2) Protocol 11 is not used to perform any of the DoS attacks. The attacks are fairly standard DoS attacks like TCP SYN, and ICMP echo floods.
3) Protocol 11 get through many firewalls because sysadmins only set up rules to block unwanted TCP, UDP, and ICMP packets.
4) Single incoming protocol 11 packets are used to trigger compromised hosts to perform selected DoS attacks
I hope that helps
Chris
There have been two responses to this post so far, not counting this one. Let's look at the moderations.
First we have this one which is entitled "On Trolls". It seems to be a nicely worded treatise on the personal conversion of the author from productive member of Slashdot society to trolldom. There is no flaming, no swearing, nothing at all that one would normally consider offensive. It is marked down to -1 Offtopic.
Next, let's look at the second response to the original post. It is filled with flames and vulgar language. It is neither well thought out nor well worded. It is crass and pedestrian. Yet it has yet to be moderated.
It is difficult to extrapolate solid conclusions from this data, but the analysis at face value shows that random flaming and swearing is more valuable than well considered arguments. More data is needed on this topic, but the preliminary findings clearly point towards the aforementioned hypothesis as true.
I start out with ...
echo " Deny and Reject Everything"
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward REJECT
Will the above block out all protocols or do I have to DENY them one at a time.
I spent a little time reading the solutions of the winner, and of the #9 guy who won the $200 gift certificate for the most concise answer. I clicked on the "cost estimate" link for the winner.
I thought it would be one of those vaporous confabulations of how many BILLIONS of dollars' worth of corporate man hours would be lost to this exploit. Surprise! It's an estimate of what he would charge you to do this, if you were paying him ~$70k a year. If you don't want to click, it was about $3500 for the winner, and about $850 for the 9th place guy.
Then I started clicking a couple at random, and I noticed that the various cost analyses of various teams seem to cluster between $2500 and $4000 or so.
The Italian team are the clear outliers, claiming that they would bill over $10,000 JUST for the RE team and the analysis write-up. They included a full day's billing to cover "meeting, discussion, and coffee time."
the conclusions? a) one dutch kid can do the work of 8 Italian professionals in about 1/40th the time, and b) i need to get a job in Italy.
Humpty Dumpty was pushed.
Other than to be obscure, there's no good reason to use an unused IP protocol number rather than an unused UDP protocol number. This attack could equally well have used an UDP port.
It's worth checking servers to see if there's anything configured to listen to obsolete protocol numbers and unused UDP ports. Many UNIX servers still have a vast number of obsolete Berkeley daemons running. Some, like "biff", have known vulnerabilities. And it's worth checking for traffic on obsolete protocol numbers to see if some spyware is using them.
For the DNS attack, SOA queries for the following domains are made
com
net
edu
org
de Germany
usc.edu University of Southern California
es Spain
gr Greece
ie Ireland
Why the contrast between country codes for countries in Europe, and an US university? A theory on this is that the programmer resides in Europe, hence the familiarity with the European country codes, and has friends studying at usc.edu.
Having just graduated from USC.... I am more inclined to think that coder is(was) a student here, or at a big rival school (such as UCLA). I would be more likely then that the country codes were the first ones that came to his head, or that they were the countries that his friends (or enemies) originate from. (USC and UCLA both have unordinately large populations of foreign students compared to other US universities)
I'm out of my mind right now, but feel free to leave a message.....
It is amazing how confidently people spout wrong information, analogies and all. I wish there were a (-1, wrong) moderation available.
IP has no concept of port numbers - it is a network layer protocol and its job is to deliver packets from one IP address to another. It acts as a "carrier" for other protocols like TCP, UDP, or in this case NVP. To identify this super-protocol, the IP packet has a field for the protocol number. TCP = 6, UDP = 17, NVP = 11. So if an incoming packet says protocol #6, it is passed up to the TCP handler; if it says 17, it is passed to UDP.
Now the TCP/UDP/whatever protocol is free to use whatever means it finds fit to identify the actual process that is the destination of the packet - this is what port numbers are used for. So IP delivers the packet to a certain host, and then the next-level protocol looks at the port number in that packet to figure out which process it should be fed to.
It should be clear now that port numbers have nothing to do with protocol numbers.
I've downloaded the binary and immediatly after decompressing (I could not even decompress) was notified has a virus!
So, all the firewall stuff we've been reading, all the recommendations can be avoidable if a good anti-virus is acting on the system.
Bonus question: explain why this attack had so many valid originating IP addresses.
karma capped
with its instructions being cunningly supplied via the lesser known IP protocol 11.
Instructions being "hey, dos this". It doesn't use nvp to flood the target, just to get it's orders from its master kiddie.
Will all the cloobies please log off now. Thank you.
I just wasted your mod points! HA!
The summary said "IP protocol 11", which I for one interpeted as IPv11 (and was very confused by that as you probably can imagine). The thing is, ICMP, TCP, UDP and "Protocol 11" are *not* IP-protocols, they are transport protocols that run ontop of IP. IPv4 and IPv6 are the obvious examples of IP-protocols.
We all know that reverse engineering without the permission of the copyright holder is a violation of the DMCA, and doing so "willfully and for purposes of commercial advantage or private financial gain," such as to win a contest like this one is a criminal offense. Since it's a criminal offense, the victim (the copyright holder) doesn't even have to step up and admit that s/he's the copyright holder.
Sounds like a good test case.
Introduction Every day, incident handlers across the globe are faced with compromised systems, running some set of unknown programs, providing some kind of unintended service to an intruder who has taken control of someone else's -- YOUR, or your client's, or customer's -- computers. To most, the response is a matter of "get it back online ASAP and be done with it." This usually leads to an inadequate and ineffective response, not even knowing what hit you, with a high probability of repeated compromise. On the law enforcement side, they are hampered by a flood of incidents and a lack of good data. A victim trying to keep a system running or doing a "quickie" job of cleanup usually means incidents are underreported and inadequate handling of the evidence leads to no evidence, or tainted evidence. There has to be a better way to meet the needs of incident handlers and system administrators, as well as law enforcement, if Internet crime is going to be managed and not run amok. One possible answer is effective analysis skills -- widespread knowledge of tools and techniques -- to preserve data, analyze it, and produce meaningful reports to your organization's management, to other incident response teams and system administrators, and to law enforcement. Enter the Honeynet Project. One of the primary goals of the Honeynet Project is to find order in chaos by letting the attackers do their thing, and allowing the defenders to learn from the experience and improve. The latest challenge is the Reverse Challenge. Just like the Forensic Challenge, we're opening it up to anyone who wants to join in.
Thanks.
(And I also wish there was a "-1, wrong" moderation so that my post could find its way into the bowels of negativeness more quickly).
If you look at the story the guy calls it protocol 11 but then he tells you to grep netstat output for anything using port 11.
That's mighty gay i say.
This is just a trojan binding port 11, not "protocol 11"..
Talk about getting it twisted, heh.
This is why people with half a brain write firewall rules that block everything and then open the port you need to have open...
This tool was already using it, so we already have to upgrade our detection tools (where necessary) to deal with odd protocol numbers. If many other trojan writers start using the same trick, then it will just make them that much easier to detect.
that was one of the best trolls for a while. or so i thought: then you go post apologies and stuff. where is the world going to? sigh.
he write the tool (something most people here couldn't do), and then rooted the you'd-think-at-least-it-would-be-secure honeynet server..
A samrt Sysadmin knows to check slashdot.org once per day to see what irreposnible hints you are giving to script kiddies..
:)
From The Art Of War by Sun Tzu:
"The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not
on the chance of his not attacking, but rather on the fact that we have
made our position unassailable."
So a sysadmin relying on the attackers inability is if fact the irresponible one! neener neener
FRA: STFU GTFO
i went to school with this guy :)
:) overall a great guy - met him in march this year back in perth (australia). nice to see someone finally recognises some of his talent.
one hell of a smart guy; although strange at times (not at all bad). married to tiki swain - also another "unfound" talent. many would not see him as a "computer nerd" *g* - he is short, thin, hates working, hates wearing shoes - and, likes to live in the "wild". mcdonalds, coke, all other commercial stuff just isn't his cue - he prefers finding food in the wild
kudo's dion!
Routers absolutely route it. IT's still IP. It's not something strange or wonderful; it's just an IP packet with the protocol ID field set to '11'.
/etc/protocols on your favorite unix system, or just google for ip protocol IDs to see.
Have a look at
It's just something you don't usually hear about because we tend to only use TCP, UDP, and ICMP, and maybe GRE. (protocols 6, 17,1,and 47, respectively).
You can generate IP packets of whatever protocol ID you want and routers SHOULD route them.
Now that this binary has been well publicized and the source code released, we will see many spinoffs and improvements of this protocol 11 DoS tool...kinda backfires in a way doesn't it? Sure the tool was poorly programmed but it does have some nifty features, especially the widely undetected communications protocol.
Why? Why get rid of Lindows?
The way I see it, publicizing this tool will have the opposite effect. Firewall admins all over will be smacking themselves on the forehead, saying "Protocol 11? We only need TCP, UDP and ICMP. Better block everything else."
Because it is so easily blocked, this will neutralize an entire class of attacks (ie. ones that use anything but TCP, UDP and ICMP). I suspect that, since it is now well-publicized, we will see this show up in security seminars, documents, HOW-TOs, etc: 'Be sure to block any protocols that your company isn't using because tools have been discovered in the wild that use protocols other than TCP, UDP and ICMP'.
If this doesn't convice people that security flaws are better exposed than hidden, I don't know what will. This tools was written two years ago. Where else is it, or it's derivitives, being used?
People have been doing that since firewalls where invented...it's called a defualt deny policy...pretty standard stuff...
Then again maybe you're just a troll...
But this is slashdot so you probably just have no clue...