The Reverse Challenge: Winners Announced

asqui writes: "The Reverse Challenge was a contest from The Honeynet Project to essentially reverse engineer a binary captured in the wild running on a compromised honeypot. The contest ran during May of this year and the submissions have been judged and the winners announced. Dion Mendel took first place with 43.4 points out of a possible 50. The binary turned out to be a tool for performing remote DoS attacks from compromised hosts, with its instructions being cunningly supplied via the lesser known IP protocol 11. This binary is currently being used in the wild but there is little reported activity, probably because sysadmins are focused on the other more dominant protocols."

Fascinating

[SpatchMonkey]

This really is fascinating stuff. Note that most of the entrants used the disassembler known as IDA, available here. There was also much discussion of this contest recently on various security-related mailing lists.

Hopefully they will be doing a similar contest again next year. In the meantime, I guess we'll just have the Scan of the Month to analyse.

I should have asked before the contest but

[jsse]

How can we tell if some of the contestants were not the same group of persons using that binary?

If this was the case then reverse engineering it might be pretty straight forward. :)

Just wonder, not accusation made. :)

Oh c'mon...

[stirfry714]

In response to the people criticizing the information about the protocol used...

Now someone can't even mention general characteristics of a hack without being criticized for giving information to "script kiddies" or "trojan writers"?

We know that security through obscurity is a poor excuse. I'd rather have this stuff out in the open so I and others can deal with it, than have it known only to a few...

Protocol 11 information

[lingqi]

P. 11 is RFC 741 - NVP (network voice protocol)

look at it here.

Re:Forgive my naiveness but

[GigsVT]

"Network Voice Protocol"

Your guess is as good as mine, as usual, someone who had no previous clus about nvp will google it and make a +5 informative post, so just wait for that.

As far as blocking it in ipchains,

-A input -s 0/0 -d 0/0 -p 11 -j DROP

ObSpinalTapRef

[tswinzig]

"This protocol goes to eleven."

Explanation of "Protocol 11"

[josh+crawley]

Well, what I've pulled from websites and the RFC:

1:It's a protocol. In IP speak, It's under the same secion that TCP(6), UDP(17), ICMP(1), and others fit under. On unix boxen, it can be found in /etc/protocols . The protocol specification is in the header of the 20 byte beginning part of the IPv4 datagram. It's a 8 bit field.

2: It was created specifically for voice transfers, along with "telephone emulation" (just the way you interface with the tele). I believe that many, if not all, webphones use this IP protocol. I also think that GSM and US telephones(that use IP networks) use this protocol to transfer voice data.

Some were asking how this could flood your system.... Well, what's the difference TCP and UDP? Or how about ping floods??? Well, it's all data being sent to you. Doesnt matter what 8 bit field is switched... It's still garbage data (if you didnt request it). It fills up your receving connection.

Hopefully I've explained what this is. I'll probably be modded redundant as somebody probably wrote a better "explanation" while I wrote mine. Oh well.

Re:Explanation of "Protocol 11"

[Frater+219]

I believe that many, if not all, webphones use this IP protocol. I also think that GSM and US telephones(that use IP networks) use this protocol to transfer voice data.

Taking a look at the RFC might raise some doubts in your mind regarding that belief. This protocol was designed for use with the old ARPANET protocols, which pre-dated IPv4. I'm guessing the only reason there's a code point for it in /etc/protocols is for old, old compatibility reasons, back when ARPANET was migrating from the old protocol to IP.

Re:Explanation of "Protocol 11"

[jareds]

2: It was created specifically for voice transfers, along with "telephone emulation" (just the way you interface with the tele). I believe that many, if not all, webphones use this IP protocol. I also think that GSM and US telephones(that use IP networks) use this protocol to transfer voice data.

Nobody uses it. GSM most certainly does not. I'd be surprised if even a single commercially available webphone uses it.

Some were asking how this could flood your system.... Well, what's the difference TCP and UDP? Or how about ping floods??? Well, it's all data being sent to you. Doesnt matter what 8 bit field is switched... It's still garbage data (if you didnt request it). It fills up your receving connection.

This is wrong. The handler sends instructions to the agent via protocol 11. The agent performs traditional DOS attacks. I'm not saying you couldn't flood someone with protocol 11 packets, but that has nothing to do with this tool.

Re:Forgive my naiveness but

[elandal]

It's Network Voice Protocol, and it's safe to block unless You use it (and You should know if You do).

I have default DENY, and specific ACCEPT rules. As everything I do ACCEPT contains a protocol, this means that unknown protocols are denied. For as long as You run only IPv4, no multicast, and so on (like most people do - although IPv6 is gaining), You only need icmp, igmp, tcp, and udp. Read /etc/protocols for mysterious acronyms.

If You default to ACCEPT, or have very broad ACCEPT rules based on just eg. the IP addresses, You can, with ipchains, deny as follows:

ipchains -A input -j DENY -p nvp

Not tested, but should work.

Re:Forgive my naiveness but

[mamba-mamba]

I suggest you read the info on the pages referenced in the top-level post. Here is an excerpt.

Detection
=========

Any network traffic using an unusual protocol should be suspect. This tool
uses protocol 11, but could easily be recompiled to use another protocol.
As protocol 11 is not currently used, any network traffic using this
protocol should be assumed to be communication between handlers and agents
of this tool. The signature for detecting agent / handler communication
was described in the previous section.

Note that the source address of a packet from handler -> agent should not
be assumed to be the actual address of the handler. The source address in
the IP header is most likely to be spoofed. Similarly, data from agent ->
handler is often faked to increase the difficulty of tracing the attacker's
whereabouts.

To hide from casual detection, the agent changes its process name to
[mingetty].
This is the standard getty for RedHat, and Slackware versions pre 7.0.

To detect a running agent on a system, netstat can be used to determine
if any processes are using protocol 11. The following command and
response shows a running agent process.

# netstat -pan | grep raw | grep :11
raw 0 0 0.0.0.0:11 0.0.0.0:* 7 5226/[mingetty]

If found, all instances of mingetty should be killed (to ensure that
children are caught as well). This will kill valid mingetty processes
as well, but they will be respawned by the init process.

# ps ax | grep mingetty | grep -v grep | awk '{print $1}' | xargs kill -9

The system should immediately be taken off the network and analysed to
determine how the attacker gained root access.

I don't believe it would do you any harm to block protocol 11. I would recommend that you block all protocols except for udp, icmp, and tcp, while you are at it. In fact, you can probably allow TCP and UDP only if you are a home user. I would just allow ICMP for the hell of it. Just set up a default incoming policy for all packets of "DROP," then accept all TCP packets, or all TCP packets meeting certain criteria, as desired. iptables allows you to specify protocols by number or name in a rule, using the "-p" parameter.
You should be able to block everything except TCP with something like:

iptables -F INPUT
iptables -P INPUT DROP
iptables -A INPUT -p TCP -j ACCEPT

if you also want to accept UDP (you do), then add this:
iptables -A INPUT -p UDP -j ACCEPT

for ICMP:
iptables -A INPUT -p ICMP -j ACCEPT

Note that ping, and a variety of other things, use ICMP, so I reccommend that you enable it.

Proper firewall configuration is a complex topic (and I'm not an expert at it). What I have posted above is not intended to create a safe firewall. I am hoping that you can figure the rest out yourself, or modify the above to suit your needs.

I have to run, so good luck.

MM
--

Re:achtung!

Quickly!!! Arrest the winners!!! They have obviously violated the DMCA!!!

EULA: By allowing your system to be compromised by this program you hereby agree to the following license conditions...

About the binary

[eaglesnax]

I participated in the contest, and to answer a few questions:

1) Protocol 11 is used in this tool simply as a messaging protocol. No attempt was made by the author to adhere to the published NVP RFC. The author simply sticks 11 in the protocol field of the IP header. Think of each packet as a UDP packet, no handshake, etc...

2) Protocol 11 is not used to perform any of the DoS attacks. The attacks are fairly standard DoS attacks like TCP SYN, and ICMP echo floods.

3) Protocol 11 get through many firewalls because sysadmins only set up rules to block unwanted TCP, UDP, and ICMP packets.

4) Single incoming protocol 11 packets are used to trigger compromised hosts to perform selected DoS attacks

I hope that helps

Chris

Re:About the binary

[cwebster]

5) UDP's protocol number is 17, or 0x11. Who wants to bet he forgot a 0x in his code and use of proto 11 is a bug :)

why can't we all be Italian?

[oliphaunt]

I spent a little time reading the solutions of the winner, and of the #9 guy who won the $200 gift certificate for the most concise answer. I clicked on the "cost estimate" link for the winner.

I thought it would be one of those vaporous confabulations of how many BILLIONS of dollars' worth of corporate man hours would be lost to this exploit. Surprise! It's an estimate of what he would charge you to do this, if you were paying him ~$70k a year. If you don't want to click, it was about $3500 for the winner, and about $850 for the 9th place guy.

Then I started clicking a couple at random, and I noticed that the various cost analyses of various teams seem to cluster between $2500 and $4000 or so.

The Italian team are the clear outliers, claiming that they would bill over $10,000 JUST for the RE team and the analysis write-up. They included a full day's billing to cover "meeting, discussion, and coffee time."

the conclusions? a) one dutch kid can do the work of 8 Italian professionals in about 1/40th the time, and b) i need to get a job in Italy.

Use of unused protocol numbers

[Animats]

The only IP protocol numbers in widespread use are for ICMP, UDP, and TCP. Almost everything else is some obsolete thing from the early days of the Internet. (Reading through the list gives me a feeling of nostalgia, with people, protocols, and equipment I remember from the earliest days of TCP/IP research. Xerox Parc Universal Protocol over IP over 3MB Ethernet...)

Other than to be obscure, there's no good reason to use an unused IP protocol number rather than an unused UDP protocol number. This attack could equally well have used an UDP port.

It's worth checking servers to see if there's anything configured to listen to obsolete protocol numbers and unused UDP ports. Many UNIX servers still have a vast number of obsolete Berkeley daemons running. Some, like "biff", have known vulnerabilities. And it's worth checking for traffic on obsolete protocol numbers to see if some spyware is using them.

Next scan of the month...

[snake_dad]

Analyse the DoS attact honeynet.org experienced July 8, 2002.

Bonus question: explain why this attack had so many valid originating IP addresses.

Re:this one goes to eleven

[cookd]

Do routers even route protocol 11?

Mu.

Normal routers don't care what protocol is being used. They route at the IP layer. ICMP, TCP, UDP, and "Protocol 11" are all layered on top of the IP layer.

Now, a firewall is a different story...

Have you forgotten the old masters Grasshopper?

[The+Creator]

A samrt Sysadmin knows to check slashdot.org once per day to see what irreposnible hints you are giving to script kiddies..

From The Art Of War by Sun Tzu:
"The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not
on the chance of his not attacking, but rather on the fact that we have
made our position unassailable."

So a sysadmin relying on the attackers inability is if fact the irresponible one! neener neener :)

Dion Mendel

[ardiri]

i went to school with this guy :)

one hell of a smart guy; although strange at times (not at all bad). married to tiki swain - also another "unfound" talent. many would not see him as a "computer nerd" *g* - he is short, thin, hates working, hates wearing shoes - and, likes to live in the "wild". mcdonalds, coke, all other commercial stuff just isn't his cue - he prefers finding food in the wild :) overall a great guy - met him in march this year back in perth (australia). nice to see someone finally recognises some of his talent.

kudo's dion!