Dailydave mailing list archives

Re: DefCon CTF

From: Trygve Aasheim <trygve () pogostick net>
Date: Sat, 16 Aug 2008 20:21:23 +0200

What type of firewall are they running at defcon CTF if the state table 
overflows based on what was in the packets? A state table only keeps 
track of "state" for a session...being SYN, SYN-ACK, ESTABLISHED, 
FIN-ACK etc, and will drop traffic if they are out of state...

If somebody is sending shell code and binary rubbish to a service over a 
session, it shouldn't change the state table in any way...

If there where no services on these ports, and the firewall policy 
reflected this - the sessions wouldn't even enter the state table.

Firewalls usually have issues with small packets (that's why vendors 
don't use the RFC for performance testing (and even pays magazines so 
they don't use it either), but send one insanely long ftp stream through 
they're one-rule-policy-firewall and claim gbit performance), but it has 
nothing to do with the state table.

Logging, packet capture and routing might also decrease the performance 
of a firewall.

On VMs you have a totally new game when it comes to network performance 
though. Trying to do packet capture, run firewalls and such together 
with tons of sessions on virtual machines/interfaces often results in 
strange behavior if the VM is on a host OS and not a hypervisor.




Holt Sorenson wrote:

On Fri, Aug 15, 2008 at 01:48:16PM -0700, Doc Brown wrote:

As for "network problems", I would suspect some of it was teams' firewalls
blocking detected attacks, some of it was VM load from all the forking
services, some of it was network load.  While key refresh happened every
5-7 minutes, many teams attacked over and over instead of waiting 3
minutes or so between attempts.


There was seemingly constant spew to ports 22 and 25 throughout much of
the game that looked like someone was dumping binary detrititus
intermixed with shell code (somebody playing with fuzzers?) that I
talked to Ken Shoto about several times.

Stuff like that doesn't do anything for the game (since all the
interesting services run on other ports anyway) and seemed to be
contributing to the state table overflowing in the game firewall.

This was why during the post game debrief meeting that I made the
point that activity like this is counterproductive and isn't
going to move your team forward during the game.

Couple this with the factors you cite above and it made for a pretty
shitty network experience during the game at times.

Hopefully teams in the future are more surgical.

DefCon CTF isn't about carpet bombing, it's about laser guided
munitions.

(and Doc, I know you're the part of the choir on this too, but I
needed to rant a bit).

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: DefCon CTF, (continued)
- - - Re: DefCon CTF Chris Eagle (Aug 15)
    - Re: DefCon CTF Red Dragon (Aug 15)
    - Re: DefCon CTF Chris Eagle (Aug 15)
    - Re: DefCon CTF jesse michael (Aug 15)
    - Re: DefCon CTF Doc Brown (Aug 15)
    - Re: DefCon CTF Jason Lewis (Aug 16)
- Re: DefCON NOP Redux Roman Medina-Heigl Hernandez (Aug 14)
  - Re: DefCon CTF Doc Brown (Aug 15)
    - Re: DefCon CTF Holt Sorenson (Aug 16)
    - Re: DefCon CTF Chris Eagle (Aug 16)
    - Re: DefCon CTF Trygve Aasheim (Aug 16)
    - Re: DefCon CTF Holt Sorenson (Aug 16)
    - Re: DefCon CTF Roman Medina-Heigl Hernandez (Sep 01)