Slashdot Mirror
The Reverse Challenge: Winners Announced
asqui writes: "The Reverse Challenge was a contest from The Honeynet Project to essentially reverse engineer a binary captured in the wild running on a compromised honeypot. The contest ran during May of this year and the submissions have been judged and the winners announced. Dion Mendel took first place with 43.4 points out of a possible 50. The binary turned out to be a tool for performing remote DoS attacks from compromised hosts, with its instructions being cunningly supplied via the lesser known IP protocol 11. This binary is currently being used in the wild but there is little reported activity, probably because sysadmins are focused on the other more dominant protocols."
How can we tell if some of the contestants were not the same group of persons using that binary?
:)
:)
If this was the case then reverse engineering it might be pretty straight forward.
Just wonder, not accusation made.
*checks /etc/protocols* What the hell is protocol 11?
Do routers even route protocol 11? Would it make it to its DoS destination? Interesting. Per usual slashdot behaviour, I haven't read the articles yet, but I hope they discuss this a little more.
Hmm.......
There have been two responses to this post so far, not counting this one. Let's look at the moderations.
First we have this one which is entitled "On Trolls". It seems to be a nicely worded treatise on the personal conversion of the author from productive member of Slashdot society to trolldom. There is no flaming, no swearing, nothing at all that one would normally consider offensive. It is marked down to -1 Offtopic.
Next, let's look at the second response to the original post. It is filled with flames and vulgar language. It is neither well thought out nor well worded. It is crass and pedestrian. Yet it has yet to be moderated.
It is difficult to extrapolate solid conclusions from this data, but the analysis at face value shows that random flaming and swearing is more valuable than well considered arguments. More data is needed on this topic, but the preliminary findings clearly point towards the aforementioned hypothesis as true.
3) Protocol 11 get through many firewalls because sysadmins only set up rules to block unwanted TCP, UDP, and ICMP packets.
Sad but true. The lesson here is, setup firewalls with default deny rules, and only accept the packets you want.
Other than to be obscure, there's no good reason to use an unused IP protocol number rather than an unused UDP protocol number. This attack could equally well have used an UDP port.
It's worth checking servers to see if there's anything configured to listen to obsolete protocol numbers and unused UDP ports. Many UNIX servers still have a vast number of obsolete Berkeley daemons running. Some, like "biff", have known vulnerabilities. And it's worth checking for traffic on obsolete protocol numbers to see if some spyware is using them.
This is why people with half a brain write firewall rules that block everything and then open the port you need to have open...
This tool was already using it, so we already have to upgrade our detection tools (where necessary) to deal with odd protocol numbers. If many other trojan writers start using the same trick, then it will just make them that much easier to detect.
A samrt Sysadmin knows to check slashdot.org once per day to see what irreposnible hints you are giving to script kiddies..
:)
From The Art Of War by Sun Tzu:
"The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not
on the chance of his not attacking, but rather on the fact that we have
made our position unassailable."
So a sysadmin relying on the attackers inability is if fact the irresponible one! neener neener
FRA: STFU GTFO