Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security

The Reverse Challenge: Winners Announced 186

asqui writes: "The Reverse Challenge was a contest from The Honeynet Project to essentially reverse engineer a binary captured in the wild running on a compromised honeypot. The contest ran during May of this year and the submissions have been judged and the winners announced. Dion Mendel took first place with 43.4 points out of a possible 50. The binary turned out to be a tool for performing remote DoS attacks from compromised hosts, with its instructions being cunningly supplied via the lesser known IP protocol 11. This binary is currently being used in the wild but there is little reported activity, probably because sysadmins are focused on the other more dominant protocols."
This discussion has been archived. No new comments can be posted.

The Reverse Challenge: Winners Announced

Comments Filter:
  • d'oh! (Score:1, Troll)

    "The binary turned out to be a tool for performing remote DoS attacks from compromised hosts, with its instructions being cunningly supplied via the lesser known IP protocol 11."

    You have just caused an evil-grin to appear on the faces of many trojan writers. They now have another 'cunning' trick to add to their arsenal.

    • Let's hope so. (Score:2, Insightful)

      by dark-nl ( 568618 )
      This tool was already using it, so we already have to upgrade our detection tools (where necessary) to deal with odd protocol numbers. If many other trojan writers start using the same trick, then it will just make them that much easier to detect.
  • achtung! (Score:2, Funny)

    by eyegor ( 148503 )
    Quickly!!! Arrest the winners!!! They have obviously violated the DMCA!!!
    • Re:achtung! (Score:4, Funny)

      by Anonymous Coward on Monday July 08, 2002 @12:01AM (#3839618)
      Quickly!!! Arrest the winners!!! They have obviously violated the DMCA!!!

      EULA: By allowing your system to be compromised by this program you hereby agree to the following license conditions...
  • ...for saving the honeypot, your own poohbear doll
  • Fascinating (Score:5, Informative)

    by SpatchMonkey ( 300000 ) on Sunday July 07, 2002 @10:43PM (#3839322) Journal
    This really is fascinating stuff. Note that most of the entrants used the disassembler known as IDA, available here [datarescue.com]. There was also much discussion of this contest recently on various security-related mailing lists. [securityfocus.com]

    Hopefully they will be doing a similar contest again next year. In the meantime, I guess we'll just have the Scan of the Month to analyse.
  • A samrt Sysadmin knows to check slashdot.org once per day to see what irreposnible hints you are giving to script kiddies..

    Of course without these slashdot.org posts I would be out of a job..so I guess hey bring on more slashdot.org posts!
  • by jsse ( 254124 ) on Sunday July 07, 2002 @10:50PM (#3839347) Homepage Journal
    How can we tell if some of the contestants were not the same group of persons using that binary?

    If this was the case then reverse engineering it might be pretty straight forward. :)

    Just wonder, not accusation made. :)
  • *checks /etc/protocols* What the hell is protocol 11?

    Do routers even route protocol 11? Would it make it to its DoS destination? Interesting. Per usual slashdot behaviour, I haven't read the articles yet, but I hope they discuss this a little more.

    Hmm.......

    • I would assume it's NVP (Network Voice Protocol)

      See rfc741 [faqs.org]

    • by Anonymous Coward
      I think this may help:

      http://www.iana.org/assignments/protocol-numbers

    • Don't worry, it's just a protocol on top of IP. Just like UDP, TCP and ICMP are.
    • Do routers even route protocol 11?

      Mu.

      Normal routers don't care what protocol is being used. They route at the IP layer. ICMP, TCP, UDP, and "Protocol 11" are all layered on top of the IP layer.

      Now, a firewall is a different story...
      • The summary said "IP protocol 11", which I for one interpeted as IPv11 (and was very confused by that as you probably can imagine). The thing is, ICMP, TCP, UDP and "Protocol 11" are *not* IP-protocols, they are transport protocols that run ontop of IP. IPv4 and IPv6 are the obvious examples of IP-protocols.
    • Routers absolutely route it. IT's still IP. It's not something strange or wonderful; it's just an IP packet with the protocol ID field set to '11'.

      Have a look at /etc/protocols on your favorite unix system, or just google for ip protocol IDs to see.

      It's just something you don't usually hear about because we tend to only use TCP, UDP, and ICMP, and maybe GRE. (protocols 6, 17,1,and 47, respectively).

      You can generate IP packets of whatever protocol ID you want and routers SHOULD route them.
  • Actually, the winner cheated. They used a 2. Oh man, i kill myself.
  • The results link posted above (http://project.honeynet.org/reverse/results/) is wonderfully tortured HTML ... with the pleasing side-effect of triggering a mouseover color change for over half the text in the opening paragraph when rendered with Mozilla.

    Hey, I found it interesting...

    • Interesting? People don't close tags, just like people don't close ports, zippers, or the door to the safe that my employer keeps the espresso in.

      *buzz*

      Looks like a simple icky HTML error. Tsk Tsk. They should be more careful.

      -Sara
      • Interesting? People don't close tags ... Tsk Tsk. They should be more careful.

        Yeah, tell me [w3.org] about it [w3.org]. (I apologize for selecting a DTD for you.)

        You get your own *buzz* now.

        Maybe I ought to have stated that I find it interesting (still) that obvious markup errors persist when several diagnostic and corrective tools exist. Somehow, I think that point would be lost on you. :p

        Signed,
        Puzzled over Neuroticia [slashdot.org]'s death [archive.org] and apparent rebirth [slashdot.org].

        • Er. I think it's safe to say that the majority of pages on the internet have more errors than the page-that-I-abandoned-when-I-was-19-and-that-had-b een-languishing-for-months-prior.

          I also think it's safer to say that a page that is targetting people of an unknown browser type in an anal retentive geek community needs to be more strict about their HTML than a 19 year old girl who is writing stupid things for a variety of friends most of who at that point were still on AOL or using a MS-variant browser.

          Safe bet, eh?

          Diagnostics tools are not used because most people in most situations simply do not care. If it displays correctly in their browser, they're happy as pigs in a puddle until someone writes to yell that they forgot a closing </html> tag.

          -Sara
          • I think it's safe to say that the majority of pages on the internet have more errors than the page-that-I-abandoned...

            Relative to the amount of markup within a specific document? No, I'd have to say that your farewell page is likely at (possibly above) standard markup error levels.

            I also think it's safer to say that a page [...] targe[t]ing people [...] in an anal retentive geek community needs to be more strict about their HTML than a 19 year old girl who is writing stupid things...

            That's a terribly unenlightened view for someone who partially self-identifies [slashdot.org] with the geek community (whatever that is). Excusing poor markup management with reference to browsing audience doesn't hold much truck, either. Recommended standards don't change for the unobservant or uncaring.

            Diagnostics tools are not used because most people in most situations simply do not care.

            I can agree with this. Draw your own conclusions.

  • What does protocol do? Would it be harmful if I block it off?

    How may I do that with ipchains and iptables?
    • by GigsVT ( 208848 ) on Sunday July 07, 2002 @10:58PM (#3839393) Journal
      "Network Voice Protocol"

      Your guess is as good as mine, as usual, someone who had no previous clus about nvp will google it and make a +5 informative post, so just wait for that.

      As far as blocking it in ipchains,

      -A input -s 0/0 -d 0/0 -p 11 -j DROP
      • No, I didn't wait for any mod. I'm really asking the question.

        Thank you for the blocking script.
    • It doesn't do much, it was reserved for an experimental protocol. Also, the guy's email address it is listed as being registered to, in the assigned numbers RFC, is no longer valid.

      I think you can safely block it.
    • See rfc751 [faqs.org] for information on NVP (or whatever RFC obsoleted that one, if any). You can probably block it.

      To quote...
      The Network Voice Protocol (NVP), implemented first in December 1973, and has been in use since then for local and transnet real-time voice communication over the ARPANET at the following sites:

      o Information Sciences Institute, for LPC and CVSD, with a
      PDP-11/45 and an SPS-41.
      o Lincoln Laboratory, for LPC and CVSD, with a TX2 and the
      Lincoln FDP, and with a PDP-11/45 and the LDVT.
      o Culler-Harrison, Inc., for LPC, with the Culler-Harrison
      MP32A and AP-90.
      o Stanford Research Institute, for LPC, with a PDP-11/40 and an
      SPS-41.
    • by mamba-mamba ( 445365 ) on Sunday July 07, 2002 @11:51PM (#3839593)
      I suggest you read the info on the pages referenced in the top-level post. Here is an excerpt.

      Detection

      =========

      Any network traffic using an unusual protocol should be suspect. This tool
      uses protocol 11, but could easily be recompiled to use another protocol.
      As protocol 11 is not currently used, any network traffic using this
      protocol should be assumed to be communication between handlers and agents
      of this tool. The signature for detecting agent / handler communication
      was described in the previous section.

      Note that the source address of a packet from handler -> agent should not
      be assumed to be the actual address of the handler. The source address in
      the IP header is most likely to be spoofed. Similarly, data from agent ->
      handler is often faked to increase the difficulty of tracing the attacker's
      whereabouts.

      To hide from casual detection, the agent changes its process name to
      [mingetty].
      This is the standard getty for RedHat, and Slackware versions pre 7.0.

      To detect a running agent on a system, netstat can be used to determine
      if any processes are using protocol 11. The following command and
      response shows a running agent process.

      # netstat -pan | grep raw | grep :11
      raw 0 0 0.0.0.0:11 0.0.0.0:* 7 5226/[mingetty]

      If found, all instances of mingetty should be killed (to ensure that
      children are caught as well). This will kill valid mingetty processes
      as well, but they will be respawned by the init process.

      # ps ax | grep mingetty | grep -v grep | awk '{print $1}' | xargs kill -9

      The system should immediately be taken off the network and analysed to
      determine how the attacker gained root access.

      I don't believe it would do you any harm to block protocol 11. I would recommend that you block all protocols except for udp, icmp, and tcp, while you are at it. In fact, you can probably allow TCP and UDP only if you are a home user. I would just allow ICMP for the hell of it. Just set up a default incoming policy for all packets of "DROP," then accept all TCP packets, or all TCP packets meeting certain criteria, as desired. iptables allows you to specify protocols by number or name in a rule, using the "-p" parameter.
      You should be able to block everything except TCP with something like:

      iptables -F INPUT
      iptables -P INPUT DROP
      iptables -A INPUT -p TCP -j ACCEPT

      if you also want to accept UDP (you do), then add this:
      iptables -A INPUT -p UDP -j ACCEPT

      for ICMP:
      iptables -A INPUT -p ICMP -j ACCEPT

      Note that ping, and a variety of other things, use ICMP, so I reccommend that you enable it.

      Proper firewall configuration is a complex topic (and I'm not an expert at it). What I have posted above is not intended to create a safe firewall. I am hoping that you can figure the rest out yourself, or modify the above to suit your needs.

      I have to run, so good luck.

      MM
      --

      • Oh, add the IPv6 counterparts to all of that while you're at it if you use ipv6. See /etc/protocols.

        Allowing _only_ icmp udp and tcp will break your ipv6 setup if you have one.

        People that don't use IPv6 should ofcourse ignore my advice :)

      • I apologize. My first response to you was wrong, retarded, and obnoxious. I have had the error of my ways, and thought process pointed out to me by others. (Just read all of the replies). I really should not give in to the "let's go look at slashdot" after a night out.

        Later.

      • Block ICMP too, except for the TCP_FRAGMENTATION_REQUIRED messages, otherwise you cripple TCP a bit.

      • My first post. Slashdot rules.

        I'm an ISP Network engineer with plenty of experience troubleshooting and preventing DOS attacks. If you're not working with the ISP, you have no hope of defending against these, because the attacker is gunning for your bandwidth, not your system. No sane ISP will filter on random protocol numbers because of the resources (router horses and nerd eyeballs) involved. The only proven defense I've seen is to monitor bandwidth usage with mrtg and get the ISP involved kwik. Here is a IOS example that will save you from the dreaded 11 attack. (although you have to detect the attack first: the hard part)

        class-map match-all DOS
        match access-group 189

        policy-map killeleven
        class DOS
        police 256000 8000 8000 conform-action transmit exceed-action drop

        access-list 189 permit 11 any any

        erich
        ccie4653
    • "What does protocol do?"

      It turns people into stuck up assholes.

  • Oh c'mon... (Score:3, Informative)

    by stirfry714 ( 410701 ) on Sunday July 07, 2002 @10:53PM (#3839358)
    In response to the people criticizing the information about the protocol used...

    Now someone can't even mention general characteristics of a hack without being criticized for giving information to "script kiddies" or "trojan writers"?

    We know that security through obscurity is a poor excuse. I'd rather have this stuff out in the open so I and others can deal with it, than have it known only to a few...
    • ... and as the agent has to run as root anyway, if someone can root your box, they will also be able to install something like this. From what I read, this agent is largely cut and pasted from other tools, the control-by-protocl-11 is new but hardly eathshattering.

      The source code of this is rather usless to a black-hat unless they can also root the box.
    • Hear, hear! Folks, remember that this binary was found in the wild. The script kiddies already know what it is; the admins don't.
  • by lingqi ( 577227 ) on Sunday July 07, 2002 @10:56PM (#3839383) Journal
    P. 11 is RFC 741 - NVP (network voice protocol)

    look at it here [networksorcery.com].

  • What is the use of protocol 11?

    Would it be harmful if I just block it off?

    How may I do the blocking with ipchains and iptables?

    Thanks
    • by elandal ( 9242 ) on Sunday July 07, 2002 @11:47PM (#3839585) Homepage
      It's Network Voice Protocol, and it's safe to block unless You use it (and You should know if You do).

      I have default DENY, and specific ACCEPT rules. As everything I do ACCEPT contains a protocol, this means that unknown protocols are denied. For as long as You run only IPv4, no multicast, and so on (like most people do - although IPv6 is gaining), You only need icmp, igmp, tcp, and udp. Read /etc/protocols for mysterious acronyms.

      If You default to ACCEPT, or have very broad ACCEPT rules based on just eg. the IP addresses, You can, with ipchains, deny as follows:
      ipchains -A input -j DENY -p nvp
      Not tested, but should work.
  • by Anonymous Coward
    This is great. From the source: /*
    * dns queries:
    * SOA queries for
    * com
    * net
    * de malformed packet
    * edu
    * org
    * usc.edu

    All of these dumbass machines (mostly in Australia) kept hitting my primaries with questions for those! I couldn't figure it out, and no amount of searching on Usenet turned up any help. Now at least I know it's due to some idiot worm drilling me.

    Now I get to convert my IP addresses to hex and see what else is up there in that table. Blah.

    Feb 22 09:16:46 dns1 named[58]: denied query from [203.134.113.201].4763 for "usc.edu" IN

    Did anyone else see this?
  • The important design objectives of the Network Voice Protocol (NVP) are:

    - Recovery of loss of any message without catastrophic effects. Therefore all answers have to be unambiguous, in the sense that it must be clear to which inquiry a reply refers.
    - Design such that no system can tie up the resources of another system unnecessarily.
    - Avoidance of end-to-end retransmission.
    - Separation of control signals from data traffic.
    - Separation of vocoding-dependent parts from vocoding-independent parts.
    - Adaptation to the dynamic network performance.
    - Optimal performance, i.e. guaranteed required bandwidth, and minimized maximum delay.
    - Independence from lower level protocols.
    • Reading this I really understand why you would use this protocol for DOS attacks...

      "Design such that no system can tie up the resources of another system unnecessarily"

      um, nope, they f***ed that one up.

      "- Avoidance of end-to-end retransmission.
      - Separation of control signals from data traffic.
      - Adaptation to the dynamic network performance."

      Go, DOSbots, go!
      • Reading this I really understand why you would use this protocol for DOS attacks...
        First, the-binary doesn't use protocol 11 for the DoSes (they use SYN flood, Jolt 2, and a DNS flood).

        Second, the authors of the-binary didn't implement NVP-II, they just stuck "11" in the protocol field (probably so they could avoid blockage/detection by firewalls/IDSes).

        It's all spelled out here [honeynet.org].
  • by Anonymous Coward
    From the bonus questions [honeynet.org]:

    Summary

    The program was written in 2000, being inspired by the media attention of the trinoo and TFN DDOS tools. The programmer is most likely young with limited personal resources. The programmer has a low skill level and resorts to the "cut and paste" style of programming. The programmer possibly resides in Europe and socialises with other blackhat style programmers. The programmer is male, overweight and has no social life other than his computer. He wears glasses and was bullied throughout school. He uses computers as a way of getting back at the world which has maligned him. You decide where reality steps aside and Hollywood takes over.
    • Did the participants take into account the code output from the compiler's cookie-cutter methodology or did they take the output at face value? I ask this because there is a lot of talk, particularly several years ago about how "bad and inefficient" gcc-generated code was. How much does looking at object code tell us how well the original high-level source was written?
  • by tswinzig ( 210999 ) on Sunday July 07, 2002 @11:16PM (#3839484) Journal
    "This protocol goes to eleven."
  • by josh crawley ( 537561 ) on Sunday July 07, 2002 @11:27PM (#3839516)
    Well, what I've pulled from websites and the RFC:

    1:It's a protocol. In IP speak, It's under the same secion that TCP(6), UDP(17), ICMP(1), and others fit under. On unix boxen, it can be found in /etc/protocols . The protocol specification is in the header of the 20 byte beginning part of the IPv4 datagram. It's a 8 bit field.

    2: It was created specifically for voice transfers, along with "telephone emulation" (just the way you interface with the tele). I believe that many, if not all, webphones use this IP protocol. I also think that GSM and US telephones(that use IP networks) use this protocol to transfer voice data.

    Some were asking how this could flood your system.... Well, what's the difference TCP and UDP? Or how about ping floods??? Well, it's all data being sent to you. Doesnt matter what 8 bit field is switched... It's still garbage data (if you didnt request it). It fills up your receving connection.

    Hopefully I've explained what this is. I'll probably be modded redundant as somebody probably wrote a better "explanation" while I wrote mine. Oh well.

    • 2: It was created specifically for voice transfers, along with "telephone emulation" (just the way you interface with the tele). I believe that many, if not all, webphones use this IP protocol. I also think that GSM and US telephones(that use IP networks) use this protocol to transfer voice data.

      The winner [honeynet.org] of the challenge noted in his writeup that 'Protocol 11 is reserved for the Network Voice Protocol (NVP-II, rfc741 for the curious). NVP-II is an old protocol, generally not considered to be in use today.'

      Some were asking how this could flood your system.... Well, what's the difference TCP and UDP? Or how about ping floods??? Well, it's all data being sent to you. Doesnt matter what 8 bit field is switched... It's still garbage data (if you didnt request it). It fills up your receving connection.

      The binary doesn't use protocol 11 for it's DOS attacks, it uses three known attacks - a SYN flood, a 'jolt' attack (microsoft specific) and a DNS request flood. Protocol 11 was only used for communication between the handler and the agent. Try reading the winner's excellent writeup [honeynet.org] for more information.

    • I believe that many, if not all, webphones use this IP protocol. I also think that GSM and US telephones(that use IP networks) use this protocol to transfer voice data.
      Taking a look at the RFC [faqs.org] might raise some doubts in your mind regarding that belief. This protocol was designed for use with the old ARPANET protocols [faqs.org], which pre-dated IPv4. I'm guessing the only reason there's a code point for it in /etc/protocols is for old, old compatibility reasons, back when ARPANET was migrating from the old protocol to IP.
    • 2: It was created specifically for voice transfers, along with "telephone emulation" (just the way you interface with the tele). I believe that many, if not all, webphones use this IP protocol. I also think that GSM and US telephones(that use IP networks) use this protocol to transfer voice data.

      Nobody uses it. GSM most certainly does not. I'd be surprised if even a single commercially available webphone uses it.

      Some were asking how this could flood your system.... Well, what's the difference TCP and UDP? Or how about ping floods??? Well, it's all data being sent to you. Doesnt matter what 8 bit field is switched... It's still garbage data (if you didnt request it). It fills up your receving connection.

      This is wrong. The handler sends instructions to the agent via protocol 11. The agent performs traditional DOS attacks. I'm not saying you couldn't flood someone with protocol 11 packets, but that has nothing to do with this tool.

    • Unfortunately, your explanation is wrong, particularly WRT the role of NVP in the Internet. ie, it has none. Today, the great majority of digital voice sent over the 'net is transmitted using RTP (Real-Time Protocol), which is a protocol layered over IP (ie, at the same level as UDP or TCP). In fact, RTP is also used for things like digital audio, as well (ie, RealAudio). Interestingly, digital voice these days still uses what are essentially separated control and data streams. Today, SIP is used for the signalling portion, and then RTP kicks in for the transport.

      As for GSM, etc, within the wireless network itself, that stuff is transmitted as radio frames using fairly standard communication protocols over what is essentially circuit-switched networks (not quite... it's ATM and other things, but it's all point-to-point links in a tree structure) into the core telephony network. Well, at least, that's what the standards dictate. Within company backbones, it's quite possible they're using RTP or something like that for sending the voice, assuming they're using an IP-based, packet-switched transport, but I wouldn't put money on it, especially since I have no direct knowledge in that area of the telephony industry. It's quite likely they're using various proprietary technologies for that. But they're certainly NOT using NVP.
  • Oh The Irony Of It All

    tool for performing remote DoS attacks /. effect..... Do I win?
  • So here's my question... since everybody is calling this protocol NVP..

    Most machines are not configured to handle NVP. Windows, I don't even know if it has such support. So why did the writer choose NVP? Who is listening to it?

    Or is it more correct to say that the writer simply happened to tag his IP packets with #11 as the protocol, which just HAPPENS to be NVP? His implementation may really have nothing to do with NVP except that it uses the same protocol #.

    Of course, the source has been DoSed (or slashdotted, however you want to put it) so I can't really look at it.



    • It is some kind of old-fashioned NVP that really isn't used right now. Check this out:
      Detection

      =========

      Any network traffic using an unusual protocol should be suspect. This tool
      uses protocol 11, but could easily be recompiled to use another protocol.
      As protocol 11 is not currently used, any network traffic using this
      protocol should be assumed to be communication between handlers and agents
      of this tool. The signature for detecting agent / handler communication
      was described in the previous section.

      Note that the source address of a packet from handler -> agent should not
      be assumed to be the actual address of the handler. The source address in
      the IP header is most likely to be spoofed. Similarly, data from agent ->
      handler is often faked to increase the difficulty of tracing the attacker's
      whereabouts.

      To hide from casual detection, the agent changes its process name to
      [mingetty].
      This is the standard getty for RedHat, and Slackware versions pre 7.0.

      To detect a running agent on a system, netstat can be used to determine
      if any processes are using protocol 11. The following command and
      response shows a running agent process.

      # netstat -pan | grep raw | grep :11
      raw 0 0 0.0.0.0:11 0.0.0.0:* 7 5226/[mingetty]

      If found, all instances of mingetty should be killed (to ensure that
      children are caught as well). This will kill valid mingetty processes
      as well, but they will be respawned by the init process.

      # ps ax | grep mingetty | grep -v grep | awk '{print $1}' | xargs kill -9

      The system should immediately be taken off the network and analysed to
      determine how the attacker gained root access.
      Have a nice day.

      MM
      --
    • Re:Is it really NVP? (Score:2, Informative)

      by Anonymous Coward
      As far as I can tell, this program doesn't use NVP for attacking, and instead uses it as a covert channel on which it sends instructions to already compromised hosts, such as which host to DOS etc..

      As such, as long as routers in general route it (since it's encapsulated in IP, this is not a problem) it doesn't matter that noone's listening to it. An already compromised host will be listening to it, and that's what matters.

      Yes that means your correct to say that it's just saying that the packets are #11, while not implementing NVP at all.
  • About the binary (Score:5, Informative)

    by eaglesnax ( 238705 ) on Monday July 08, 2002 @12:13AM (#3839660)
    I participated in the contest, and to answer a few questions:

    1) Protocol 11 is used in this tool simply as a messaging protocol. No attempt was made by the author to adhere to the published NVP RFC. The author simply sticks 11 in the protocol field of the IP header. Think of each packet as a UDP packet, no handshake, etc...

    2) Protocol 11 is not used to perform any of the DoS attacks. The attacks are fairly standard DoS attacks like TCP SYN, and ICMP echo floods.

    3) Protocol 11 get through many firewalls because sysadmins only set up rules to block unwanted TCP, UDP, and ICMP packets.

    4) Single incoming protocol 11 packets are used to trigger compromised hosts to perform selected DoS attacks

    I hope that helps

    Chris
    • by pmineiro ( 556272 )

      3) Protocol 11 get through many firewalls because sysadmins only set up rules to block unwanted TCP, UDP, and ICMP packets.

      Sad but true. The lesson here is, setup firewalls with default deny rules, and only accept the packets you want.
    • 3) Protocol 11 get through many firewalls because sysadmins only set up rules to block unwanted TCP, UDP, and ICMP packets.

      This is yet another reason why you should always use a default deny stance when configuring your firewall. Just blocking proto 11 because you read this article is not going to make your network any more secure.

    • 5) UDP's protocol number is 17, or 0x11. Who wants to bet he forgot a 0x in his code and use of proto 11 is a bug :)
      • Re:About the binary (Score:2, Interesting)

        by Dave9876 ( 591025 )
        Nope, it is protocol 11(decimal), ie. ox0b.
        From my own playing around with "the-binary" during the contest (on a box that was totally disconnected from the world), I got the following from an strace -f

        socket(PF_INET, SOCK_RAW, 0xb /* IPPROTO_??? */) = 0

        As you can see, it's opening it as protocol 11, and he didn't miss an 0x from the beginning. So, it's not just UDP.

        • Since when can a disassembler tell if 0xb was written as 0xb or 11 in the original sourcecode?

        • whether or not the user put 0xb or 11, the compilation process is going to write 00001011 into the 8 bits that represent that variable. Now when you run strace or a dissasembler, it looks at this binary number 00001011, and it can print 0xb to make it pretty for you, but it cannot tell you if the original source code put 0xb, 11, 013, (2011-2000), (5*2+1), etc.

          so, as i can see, strace interprets data in hexidecimal by default (%X!!), which i dont find surprising at all.
      • It is unlikely that he made a mistake as he makes no effort to setup UDP header fields in his protocol 11 packets. Changing the protocol to UDP in his program would result in all of his message packets having bad UDP checksums and lengths.
    • 5)???

      6)Profit!!!

      yes, that old gag again... :P
  • From the results page [honeynet.org]:

    The cost to contract out this analysis would most likely run at least $350 a hour. At that rate, the average cost for analyzing this binary would have been $28,000.
    This must be good news for the participants, not to mention the winners!
  • by oliphaunt ( 124016 ) on Monday July 08, 2002 @02:01AM (#3840001) Homepage
    I spent a little time reading the solutions of the winner, and of the #9 guy who won the $200 gift certificate for the most concise answer. I clicked on the "cost estimate" link for the winner.

    I thought it would be one of those vaporous confabulations of how many BILLIONS of dollars' worth of corporate man hours would be lost to this exploit. Surprise! It's an estimate [honeynet.org] of what he would charge you to do this, if you were paying him ~$70k a year. If you don't want to click, it was about $3500 for the winner, and about $850 for the 9th place guy.

    Then I started clicking [honeynet.org] a couple [honeynet.org] at random [honeynet.org], and I noticed that the various [honeynet.org] cost analyses of various teams seem to cluster between $2500 and $4000 or so.

    The Italian team [honeynet.org] are the clear outliers, claiming that they would bill over $10,000 JUST for the RE team and the analysis write-up. They included a full day's billing to cover "meeting, discussion, and coffee time."

    the conclusions? a) one dutch kid [honeynet.org] can do the work of 8 Italian professionals in about 1/40th the time, and b) i need to get a job in Italy.

  • by Animats ( 122034 ) on Monday July 08, 2002 @02:02AM (#3840004) Homepage
    The only IP protocol numbers in widespread use are for ICMP, UDP, and TCP. Almost everything else is some obsolete thing from the early days of the Internet. (Reading through the list gives me a feeling of nostalgia, with people, protocols, and equipment I remember from the earliest days of TCP/IP research. Xerox Parc Universal Protocol over IP over 3MB Ethernet...)

    Other than to be obscure, there's no good reason to use an unused IP protocol number rather than an unused UDP protocol number. This attack could equally well have used an UDP port.

    It's worth checking servers to see if there's anything configured to listen to obsolete protocol numbers and unused UDP ports. Many UNIX servers still have a vast number of obsolete Berkeley daemons running. Some, like "biff", have known vulnerabilities. And it's worth checking for traffic on obsolete protocol numbers to see if some spyware is using them.


  • For the DNS attack, SOA queries for the following domains are made

    com
    net
    edu
    org
    de Germany
    usc.edu University of Southern California
    es Spain
    gr Greece
    ie Ireland
    Why the contrast between country codes for countries in Europe, and an US university? A theory on this is that the programmer resides in Europe, hence the familiarity with the European country codes, and has friends studying at usc.edu.


    Having just graduated from USC.... I am more inclined to think that coder is(was) a student here, or at a big rival school (such as UCLA). I would be more likely then that the country codes were the first ones that came to his head, or that they were the countries that his friends (or enemies) originate from. (USC and UCLA both have unordinately large populations of foreign students compared to other US universities)
  • by snake_dad ( 311844 ) on Monday July 08, 2002 @03:39AM (#3840250) Homepage Journal
    Analyse the DoS attact honeynet.org experienced July 8, 2002.

    Bonus question: explain why this attack had so many valid originating IP addresses.

  • with its instructions being cunningly supplied via the lesser known IP protocol 11.

    Instructions being "hey, dos this". It doesn't use nvp to flood the target, just to get it's orders from its master kiddie.

    Will all the cloobies please log off now. Thank you.
  • We all know that reverse engineering without the permission of the copyright holder is a violation of the DMCA, and doing so "willfully and for purposes of commercial advantage or private financial gain," such as to win a contest like this one is a criminal offense. Since it's a criminal offense, the victim (the copyright holder) doesn't even have to step up and admit that s/he's the copyright holder.

    Sounds like a good test case.

  • Dion Mendel (Score:3, Interesting)

    by ardiri ( 245358 ) on Monday July 08, 2002 @08:07AM (#3840719) Homepage
    i went to school with this guy :)

    one hell of a smart guy; although strange at times (not at all bad). married to tiki swain - also another "unfound" talent. many would not see him as a "computer nerd" *g* - he is short, thin, hates working, hates wearing shoes - and, likes to live in the "wild". mcdonalds, coke, all other commercial stuff just isn't his cue - he prefers finding food in the wild :) overall a great guy - met him in march this year back in perth (australia). nice to see someone finally recognises some of his talent.

    kudo's dion!

Decaffeinated coffee? Just Say No.

Working...