Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Reverse Challenge: Winners Announced

Posted by timothy on from the snoitalutargnoc dept.

asqui writes: "The Reverse Challenge was a contest from The Honeynet Project to essentially reverse engineer a binary captured in the wild running on a compromised honeypot. The contest ran during May of this year and the submissions have been judged and the winners announced. Dion Mendel took first place with 43.4 points out of a possible 50. The binary turned out to be a tool for performing remote DoS attacks from compromised hosts, with its instructions being cunningly supplied via the lesser known IP protocol 11. This binary is currently being used in the wild but there is little reported activity, probably because sysadmins are focused on the other more dominant protocols."

12 of 186 comments (clear)

  1. Fascinating by SpatchMonkey · · Score: 5, Informative

    This really is fascinating stuff. Note that most of the entrants used the disassembler known as IDA, available here. There was also much discussion of this contest recently on various security-related mailing lists.

    Hopefully they will be doing a similar contest again next year. In the meantime, I guess we'll just have the Scan of the Month to analyse.

  2. I should have asked before the contest but by jsse · · Score: 5, Insightful

    How can we tell if some of the contestants were not the same group of persons using that binary?

    If this was the case then reverse engineering it might be pretty straight forward. :)

    Just wonder, not accusation made. :)

  3. Protocol 11 information by lingqi · · Score: 4, Informative
    P. 11 is RFC 741 - NVP (network voice protocol)

    look at it here.

    --

    My life in the land of the rising sun.

  4. Re:Forgive my naiveness but by GigsVT · · Score: 5, Informative

    "Network Voice Protocol"

    Your guess is as good as mine, as usual, someone who had no previous clus about nvp will google it and make a +5 informative post, so just wait for that.

    As far as blocking it in ipchains,

    -A input -s 0/0 -d 0/0 -p 11 -j DROP

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  5. ObSpinalTapRef by tswinzig · · Score: 5, Funny

    "This protocol goes to eleven."

    --

    "And like that ... he's gone."
  6. Explanation of "Protocol 11" by josh+crawley · · Score: 4, Informative

    Well, what I've pulled from websites and the RFC:

    1:It's a protocol. In IP speak, It's under the same secion that TCP(6), UDP(17), ICMP(1), and others fit under. On unix boxen, it can be found in /etc/protocols . The protocol specification is in the header of the 20 byte beginning part of the IPv4 datagram. It's a 8 bit field.

    2: It was created specifically for voice transfers, along with "telephone emulation" (just the way you interface with the tele). I believe that many, if not all, webphones use this IP protocol. I also think that GSM and US telephones(that use IP networks) use this protocol to transfer voice data.

    Some were asking how this could flood your system.... Well, what's the difference TCP and UDP? Or how about ping floods??? Well, it's all data being sent to you. Doesnt matter what 8 bit field is switched... It's still garbage data (if you didnt request it). It fills up your receving connection.

    Hopefully I've explained what this is. I'll probably be modded redundant as somebody probably wrote a better "explanation" while I wrote mine. Oh well.

  7. Re:Forgive my naiveness but by elandal · · Score: 4, Informative
    It's Network Voice Protocol, and it's safe to block unless You use it (and You should know if You do).

    I have default DENY, and specific ACCEPT rules. As everything I do ACCEPT contains a protocol, this means that unknown protocols are denied. For as long as You run only IPv4, no multicast, and so on (like most people do - although IPv6 is gaining), You only need icmp, igmp, tcp, and udp. Read /etc/protocols for mysterious acronyms.

    If You default to ACCEPT, or have very broad ACCEPT rules based on just eg. the IP addresses, You can, with ipchains, deny as follows:
    ipchains -A input -j DENY -p nvp
    Not tested, but should work.
  8. Re:Forgive my naiveness but by mamba-mamba · · Score: 4, Informative
    I suggest you read the info on the pages referenced in the top-level post. Here is an excerpt.

    Detection
    =========

    Any network traffic using an unusual protocol should be suspect. This tool
    uses protocol 11, but could easily be recompiled to use another protocol.
    As protocol 11 is not currently used, any network traffic using this
    protocol should be assumed to be communication between handlers and agents
    of this tool. The signature for detecting agent / handler communication
    was described in the previous section.

    Note that the source address of a packet from handler -> agent should not
    be assumed to be the actual address of the handler. The source address in
    the IP header is most likely to be spoofed. Similarly, data from agent ->
    handler is often faked to increase the difficulty of tracing the attacker's
    whereabouts.

    To hide from casual detection, the agent changes its process name to
    [mingetty].
    This is the standard getty for RedHat, and Slackware versions pre 7.0.

    To detect a running agent on a system, netstat can be used to determine
    if any processes are using protocol 11. The following command and
    response shows a running agent process.

    # netstat -pan | grep raw | grep :11
    raw 0 0 0.0.0.0:11 0.0.0.0:* 7 5226/[mingetty]

    If found, all instances of mingetty should be killed (to ensure that
    children are caught as well). This will kill valid mingetty processes
    as well, but they will be respawned by the init process.

    # ps ax | grep mingetty | grep -v grep | awk '{print $1}' | xargs kill -9

    The system should immediately be taken off the network and analysed to
    determine how the attacker gained root access.

    I don't believe it would do you any harm to block protocol 11. I would recommend that you block all protocols except for udp, icmp, and tcp, while you are at it. In fact, you can probably allow TCP and UDP only if you are a home user. I would just allow ICMP for the hell of it. Just set up a default incoming policy for all packets of "DROP," then accept all TCP packets, or all TCP packets meeting certain criteria, as desired. iptables allows you to specify protocols by number or name in a rule, using the "-p" parameter.
    You should be able to block everything except TCP with something like:

    iptables -F INPUT
    iptables -P INPUT DROP
    iptables -A INPUT -p TCP -j ACCEPT

    if you also want to accept UDP (you do), then add this:
    iptables -A INPUT -p UDP -j ACCEPT

    for ICMP:
    iptables -A INPUT -p ICMP -j ACCEPT

    Note that ping, and a variety of other things, use ICMP, so I reccommend that you enable it.

    Proper firewall configuration is a complex topic (and I'm not an expert at it). What I have posted above is not intended to create a safe firewall. I am hoping that you can figure the rest out yourself, or modify the above to suit your needs.

    I have to run, so good luck.

    MM
    --

    --
    By including this sig, the copyright holders of this work or collection unreservedly place it in the public domain.
  9. Re:achtung! by Anonymous Coward · · Score: 4, Funny

    Quickly!!! Arrest the winners!!! They have obviously violated the DMCA!!!

    EULA: By allowing your system to be compromised by this program you hereby agree to the following license conditions...

  10. About the binary by eaglesnax · · Score: 5, Informative

    I participated in the contest, and to answer a few questions:

    1) Protocol 11 is used in this tool simply as a messaging protocol. No attempt was made by the author to adhere to the published NVP RFC. The author simply sticks 11 in the protocol field of the IP header. Think of each packet as a UDP packet, no handshake, etc...

    2) Protocol 11 is not used to perform any of the DoS attacks. The attacks are fairly standard DoS attacks like TCP SYN, and ICMP echo floods.

    3) Protocol 11 get through many firewalls because sysadmins only set up rules to block unwanted TCP, UDP, and ICMP packets.

    4) Single incoming protocol 11 packets are used to trigger compromised hosts to perform selected DoS attacks

    I hope that helps

    Chris

  11. why can't we all be Italian? by oliphaunt · · Score: 5, Interesting

    I spent a little time reading the solutions of the winner, and of the #9 guy who won the $200 gift certificate for the most concise answer. I clicked on the "cost estimate" link for the winner.

    I thought it would be one of those vaporous confabulations of how many BILLIONS of dollars' worth of corporate man hours would be lost to this exploit. Surprise! It's an estimate of what he would charge you to do this, if you were paying him ~$70k a year. If you don't want to click, it was about $3500 for the winner, and about $850 for the 9th place guy.

    Then I started clicking a couple at random, and I noticed that the various cost analyses of various teams seem to cluster between $2500 and $4000 or so.

    The Italian team are the clear outliers, claiming that they would bill over $10,000 JUST for the RE team and the analysis write-up. They included a full day's billing to cover "meeting, discussion, and coffee time."

    the conclusions? a) one dutch kid can do the work of 8 Italian professionals in about 1/40th the time, and b) i need to get a job in Italy.

    --




    Humpty Dumpty was pushed.
  12. Next scan of the month... by snake_dad · · Score: 5, Funny
    Analyse the DoS attact honeynet.org experienced July 8, 2002.

    Bonus question: explain why this attack had so many valid originating IP addresses.

    --
    karma capped .sig seeking available Slashdot poster for long-term relationship.