The Reverse Challenge: Winners Announced

asqui writes: "The Reverse Challenge was a contest from The Honeynet Project to essentially reverse engineer a binary captured in the wild running on a compromised honeypot. The contest ran during May of this year and the submissions have been judged and the winners announced. Dion Mendel took first place with 43.4 points out of a possible 50. The binary turned out to be a tool for performing remote DoS attacks from compromised hosts, with its instructions being cunningly supplied via the lesser known IP protocol 11. This binary is currently being used in the wild but there is little reported activity, probably because sysadmins are focused on the other more dominant protocols."

Fascinating

[SpatchMonkey]

This really is fascinating stuff. Note that most of the entrants used the disassembler known as IDA, available here. There was also much discussion of this contest recently on various security-related mailing lists.

Hopefully they will be doing a similar contest again next year. In the meantime, I guess we'll just have the Scan of the Month to analyse.

I should have asked before the contest but

[jsse]

How can we tell if some of the contestants were not the same group of persons using that binary?

If this was the case then reverse engineering it might be pretty straight forward. :)

Just wonder, not accusation made. :)

Re:Forgive my naiveness but

[GigsVT]

"Network Voice Protocol"

Your guess is as good as mine, as usual, someone who had no previous clus about nvp will google it and make a +5 informative post, so just wait for that.

As far as blocking it in ipchains,

-A input -s 0/0 -d 0/0 -p 11 -j DROP

ObSpinalTapRef

[tswinzig]

"This protocol goes to eleven."

About the binary

[eaglesnax]

I participated in the contest, and to answer a few questions:

1) Protocol 11 is used in this tool simply as a messaging protocol. No attempt was made by the author to adhere to the published NVP RFC. The author simply sticks 11 in the protocol field of the IP header. Think of each packet as a UDP packet, no handshake, etc...

2) Protocol 11 is not used to perform any of the DoS attacks. The attacks are fairly standard DoS attacks like TCP SYN, and ICMP echo floods.

3) Protocol 11 get through many firewalls because sysadmins only set up rules to block unwanted TCP, UDP, and ICMP packets.

4) Single incoming protocol 11 packets are used to trigger compromised hosts to perform selected DoS attacks

I hope that helps

Chris

why can't we all be Italian?

[oliphaunt]

I spent a little time reading the solutions of the winner, and of the #9 guy who won the $200 gift certificate for the most concise answer. I clicked on the "cost estimate" link for the winner.

I thought it would be one of those vaporous confabulations of how many BILLIONS of dollars' worth of corporate man hours would be lost to this exploit. Surprise! It's an estimate of what he would charge you to do this, if you were paying him ~$70k a year. If you don't want to click, it was about $3500 for the winner, and about $850 for the 9th place guy.

Then I started clicking a couple at random, and I noticed that the various cost analyses of various teams seem to cluster between $2500 and $4000 or so.

The Italian team are the clear outliers, claiming that they would bill over $10,000 JUST for the RE team and the analysis write-up. They included a full day's billing to cover "meeting, discussion, and coffee time."

the conclusions? a) one dutch kid can do the work of 8 Italian professionals in about 1/40th the time, and b) i need to get a job in Italy.

Next scan of the month...

[snake_dad]

Analyse the DoS attact honeynet.org experienced July 8, 2002.

Bonus question: explain why this attack had so many valid originating IP addresses.