Slashdot Mirror
The Reverse Challenge: Winners Announced
asqui writes: "The Reverse Challenge was a contest from The Honeynet Project to essentially reverse engineer a binary captured in the wild running on a compromised honeypot. The contest ran during May of this year and the submissions have been judged and the winners announced. Dion Mendel took first place with 43.4 points out of a possible 50. The binary turned out to be a tool for performing remote DoS attacks from compromised hosts, with its instructions being cunningly supplied via the lesser known IP protocol 11. This binary is currently being used in the wild but there is little reported activity, probably because sysadmins are focused on the other more dominant protocols."
You have just caused an evil-grin to appear on the faces of many trojan writers. They now have another 'cunning' trick to add to their arsenal.
Quickly!!! Arrest the winners!!! They have obviously violated the DMCA!!!
Don't anthropomorphize computers, they don't like it.
...for saving the honeypot, your own poohbear doll
Jesus saves souls and redeems them for valuable cash prizes
This really is fascinating stuff. Note that most of the entrants used the disassembler known as IDA, available here. There was also much discussion of this contest recently on various security-related mailing lists.
Hopefully they will be doing a similar contest again next year. In the meantime, I guess we'll just have the Scan of the Month to analyse.
A samrt Sysadmin knows to check slashdot.org once per day to see what irreposnible hints you are giving to script kiddies..
Of course without these slashdot.org posts I would be out of a job..so I guess hey bring on more slashdot.org posts!
Don't Tread on OpenSource
How can we tell if some of the contestants were not the same group of persons using that binary?
:)
:)
If this was the case then reverse engineering it might be pretty straight forward.
Just wonder, not accusation made.
*checks /etc/protocols* What the hell is protocol 11?
Do routers even route protocol 11? Would it make it to its DoS destination? Interesting. Per usual slashdot behaviour, I haven't read the articles yet, but I hope they discuss this a little more.
Hmm.......
Actually, the winner cheated. They used a 2. Oh man, i kill myself.
The results link posted above (http://project.honeynet.org/reverse/results/) is wonderfully tortured HTML ... with
the pleasing side-effect of triggering
a mouseover color change for over half
the text in the opening paragraph when
rendered with Mozilla.
Hey, I found it interesting...
What does protocol do? Would it be harmful if I block it off?
How may I do that with ipchains and iptables?
In response to the people criticizing the information about the protocol used...
Now someone can't even mention general characteristics of a hack without being criticized for giving information to "script kiddies" or "trojan writers"?
We know that security through obscurity is a poor excuse. I'd rather have this stuff out in the open so I and others can deal with it, than have it known only to a few...
look at it here.
My life in the land of the rising sun.
What is the use of protocol 11?
Would it be harmful if I just block it off?
How may I do the blocking with ipchains and iptables?
Thanks
This is great. From the source: /*
* dns queries:
* SOA queries for
* com
* net
* de malformed packet
* edu
* org
* usc.edu
All of these dumbass machines (mostly in Australia) kept hitting my primaries with questions for those! I couldn't figure it out, and no amount of searching on Usenet turned up any help. Now at least I know it's due to some idiot worm drilling me.
Now I get to convert my IP addresses to hex and see what else is up there in that table. Blah.
Feb 22 09:16:46 dns1 named[58]: denied query from [203.134.113.201].4763 for "usc.edu" IN
Did anyone else see this?
http://www.ietf.org/rfc/rfc741.txt
The important design objectives of the Network Voice Protocol (NVP) are:
- Recovery of loss of any message without catastrophic effects. Therefore all answers have to be unambiguous, in the sense that it must be clear to which inquiry a reply refers.
- Design such that no system can tie up the resources of another system unnecessarily.
- Avoidance of end-to-end retransmission.
- Separation of control signals from data traffic.
- Separation of vocoding-dependent parts from vocoding-independent parts.
- Adaptation to the dynamic network performance.
- Optimal performance, i.e. guaranteed required bandwidth, and minimized maximum delay.
- Independence from lower level protocols.
From the bonus questions:
Summary
The program was written in 2000, being inspired by the media attention of the trinoo and TFN DDOS tools. The programmer is most likely young with limited personal resources. The programmer has a low skill level and resorts to the "cut and paste" style of programming. The programmer possibly resides in Europe and socialises with other blackhat style programmers. The programmer is male, overweight and has no social life other than his computer. He wears glasses and was bullied throughout school. He uses computers as a way of getting back at the world which has maligned him. You decide where reality steps aside and Hollywood takes over.
"This protocol goes to eleven."
"And like that
Well, what I've pulled from websites and the RFC:
/etc/protocols . The protocol specification is in the header of the 20 byte beginning part of the IPv4 datagram. It's a 8 bit field.
1:It's a protocol. In IP speak, It's under the same secion that TCP(6), UDP(17), ICMP(1), and others fit under. On unix boxen, it can be found in
2: It was created specifically for voice transfers, along with "telephone emulation" (just the way you interface with the tele). I believe that many, if not all, webphones use this IP protocol. I also think that GSM and US telephones(that use IP networks) use this protocol to transfer voice data.
Some were asking how this could flood your system.... Well, what's the difference TCP and UDP? Or how about ping floods??? Well, it's all data being sent to you. Doesnt matter what 8 bit field is switched... It's still garbage data (if you didnt request it). It fills up your receving connection.
Hopefully I've explained what this is. I'll probably be modded redundant as somebody probably wrote a better "explanation" while I wrote mine. Oh well.
Oh The Irony Of It All
/. effect..... Do I win?
tool for performing remote DoS attacks
So here's my question... since everybody is calling this protocol NVP..
Most machines are not configured to handle NVP. Windows, I don't even know if it has such support. So why did the writer choose NVP? Who is listening to it?
Or is it more correct to say that the writer simply happened to tag his IP packets with #11 as the protocol, which just HAPPENS to be NVP? His implementation may really have nothing to do with NVP except that it uses the same protocol #.
Of course, the source has been DoSed (or slashdotted, however you want to put it) so I can't really look at it.
I participated in the contest, and to answer a few questions:
1) Protocol 11 is used in this tool simply as a messaging protocol. No attempt was made by the author to adhere to the published NVP RFC. The author simply sticks 11 in the protocol field of the IP header. Think of each packet as a UDP packet, no handshake, etc...
2) Protocol 11 is not used to perform any of the DoS attacks. The attacks are fairly standard DoS attacks like TCP SYN, and ICMP echo floods.
3) Protocol 11 get through many firewalls because sysadmins only set up rules to block unwanted TCP, UDP, and ICMP packets.
4) Single incoming protocol 11 packets are used to trigger compromised hosts to perform selected DoS attacks
I hope that helps
Chris
I spent a little time reading the solutions of the winner, and of the #9 guy who won the $200 gift certificate for the most concise answer. I clicked on the "cost estimate" link for the winner.
I thought it would be one of those vaporous confabulations of how many BILLIONS of dollars' worth of corporate man hours would be lost to this exploit. Surprise! It's an estimate of what he would charge you to do this, if you were paying him ~$70k a year. If you don't want to click, it was about $3500 for the winner, and about $850 for the 9th place guy.
Then I started clicking a couple at random, and I noticed that the various cost analyses of various teams seem to cluster between $2500 and $4000 or so.
The Italian team are the clear outliers, claiming that they would bill over $10,000 JUST for the RE team and the analysis write-up. They included a full day's billing to cover "meeting, discussion, and coffee time."
the conclusions? a) one dutch kid can do the work of 8 Italian professionals in about 1/40th the time, and b) i need to get a job in Italy.
Humpty Dumpty was pushed.
Other than to be obscure, there's no good reason to use an unused IP protocol number rather than an unused UDP protocol number. This attack could equally well have used an UDP port.
It's worth checking servers to see if there's anything configured to listen to obsolete protocol numbers and unused UDP ports. Many UNIX servers still have a vast number of obsolete Berkeley daemons running. Some, like "biff", have known vulnerabilities. And it's worth checking for traffic on obsolete protocol numbers to see if some spyware is using them.
For the DNS attack, SOA queries for the following domains are made
com
net
edu
org
de Germany
usc.edu University of Southern California
es Spain
gr Greece
ie Ireland
Why the contrast between country codes for countries in Europe, and an US university? A theory on this is that the programmer resides in Europe, hence the familiarity with the European country codes, and has friends studying at usc.edu.
Having just graduated from USC.... I am more inclined to think that coder is(was) a student here, or at a big rival school (such as UCLA). I would be more likely then that the country codes were the first ones that came to his head, or that they were the countries that his friends (or enemies) originate from. (USC and UCLA both have unordinately large populations of foreign students compared to other US universities)
I'm out of my mind right now, but feel free to leave a message.....
It is amazing how confidently people spout wrong information, analogies and all. I wish there were a (-1, wrong) moderation available.
IP has no concept of port numbers - it is a network layer protocol and its job is to deliver packets from one IP address to another. It acts as a "carrier" for other protocols like TCP, UDP, or in this case NVP. To identify this super-protocol, the IP packet has a field for the protocol number. TCP = 6, UDP = 17, NVP = 11. So if an incoming packet says protocol #6, it is passed up to the TCP handler; if it says 17, it is passed to UDP.
Now the TCP/UDP/whatever protocol is free to use whatever means it finds fit to identify the actual process that is the destination of the packet - this is what port numbers are used for. So IP delivers the packet to a certain host, and then the next-level protocol looks at the port number in that packet to figure out which process it should be fed to.
It should be clear now that port numbers have nothing to do with protocol numbers.
Bonus question: explain why this attack had so many valid originating IP addresses.
karma capped
with its instructions being cunningly supplied via the lesser known IP protocol 11.
Instructions being "hey, dos this". It doesn't use nvp to flood the target, just to get it's orders from its master kiddie.
Will all the cloobies please log off now. Thank you.
I just wasted your mod points! HA!
The summary said "IP protocol 11", which I for one interpeted as IPv11 (and was very confused by that as you probably can imagine). The thing is, ICMP, TCP, UDP and "Protocol 11" are *not* IP-protocols, they are transport protocols that run ontop of IP. IPv4 and IPv6 are the obvious examples of IP-protocols.
We all know that reverse engineering without the permission of the copyright holder is a violation of the DMCA, and doing so "willfully and for purposes of commercial advantage or private financial gain," such as to win a contest like this one is a criminal offense. Since it's a criminal offense, the victim (the copyright holder) doesn't even have to step up and admit that s/he's the copyright holder.
Sounds like a good test case.
Thanks.
(And I also wish there was a "-1, wrong" moderation so that my post could find its way into the bowels of negativeness more quickly).
This tool was already using it, so we already have to upgrade our detection tools (where necessary) to deal with odd protocol numbers. If many other trojan writers start using the same trick, then it will just make them that much easier to detect.
A samrt Sysadmin knows to check slashdot.org once per day to see what irreposnible hints you are giving to script kiddies..
:)
From The Art Of War by Sun Tzu:
"The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not
on the chance of his not attacking, but rather on the fact that we have
made our position unassailable."
So a sysadmin relying on the attackers inability is if fact the irresponible one! neener neener
FRA: STFU GTFO
i went to school with this guy :)
:) overall a great guy - met him in march this year back in perth (australia). nice to see someone finally recognises some of his talent.
one hell of a smart guy; although strange at times (not at all bad). married to tiki swain - also another "unfound" talent. many would not see him as a "computer nerd" *g* - he is short, thin, hates working, hates wearing shoes - and, likes to live in the "wild". mcdonalds, coke, all other commercial stuff just isn't his cue - he prefers finding food in the wild
kudo's dion!
Routers absolutely route it. IT's still IP. It's not something strange or wonderful; it's just an IP packet with the protocol ID field set to '11'.
/etc/protocols on your favorite unix system, or just google for ip protocol IDs to see.
Have a look at
It's just something you don't usually hear about because we tend to only use TCP, UDP, and ICMP, and maybe GRE. (protocols 6, 17,1,and 47, respectively).
You can generate IP packets of whatever protocol ID you want and routers SHOULD route them.
Now that this binary has been well publicized and the source code released, we will see many spinoffs and improvements of this protocol 11 DoS tool...kinda backfires in a way doesn't it? Sure the tool was poorly programmed but it does have some nifty features, especially the widely undetected communications protocol.
If you look at the story the guy calls it protocol 11 but then he tells you to grep netstat output for anything using port 11.
And if you actually read the grep command line, you note that he's only looking for lines with 'raw' in them. Anything other than TCP and UDP shows up in netstat as 'raw' - for example, ICMP is protocol 1, and will show up like this on a RedHat system:
In short... he knows what he is talking about. You, however, should probably go read a man page or two.
The way I see it, publicizing this tool will have the opposite effect. Firewall admins all over will be smacking themselves on the forehead, saying "Protocol 11? We only need TCP, UDP and ICMP. Better block everything else."
Because it is so easily blocked, this will neutralize an entire class of attacks (ie. ones that use anything but TCP, UDP and ICMP). I suspect that, since it is now well-publicized, we will see this show up in security seminars, documents, HOW-TOs, etc: 'Be sure to block any protocols that your company isn't using because tools have been discovered in the wild that use protocols other than TCP, UDP and ICMP'.
If this doesn't convice people that security flaws are better exposed than hidden, I don't know what will. This tools was written two years ago. Where else is it, or it's derivitives, being used?
I believe it will take care of everything.
You may know this already, but for the benefit of any others lurking, you should flush first (-F), then set the policy (with the -P, as above), then enable any traffic you want. With an unmodified policy of deny, reject, reject, you are effectively cut off from the internet altogether, and if that is what you wanted, you would most likely just pull out the cable.
MM
--
By including this sig, the copyright holders of this work or collection unreservedly place it in the public domain.