CCTF: Secure Server - USC/ISI

Created by: Jelena Mirkovic, USC/ISI, sunshine@isi.edu
Contents
  1. Overview
  2. Blue Team Tasks
  3. Red Team Tasks
  4. Scoring
  5. Exercise Dynamics
  6. Grading
  7. Useful Links

Overview

This exercise lets students practice finding and patching vulnerabilities, as well as exploiting them. Students will be divided into 3-4 person teams. Each team will play the defender role (Blue team) for their own system and the attacker role (Red team) for another team's system.

Each network in the exercise will consist of six machines - a server and a gateway machine under the control of the Blue Team, three client machines under the control of the Red Team and a router machine that neither team controls. Links between clients and the router and the link between the gateway and the server are 100 Mbps. The link between the gateway and the router is 1 Gbps. This allows the clients to attempt to create DoS conditions by flooding the link between the gateway and the server. The network for the exercise is shown below and the NS file for it resides at /share/education/SecureServer_USC/cctf.ns.

Blue Team Tasks

This team will control the server and the gateway machine, connected by 100 Mbps link. The server is a classical LAMP server and will have some php scripts and MySql database already set up. The scripts allow users to register (insert username and pass into the database) and to deposit or withdraw money from their accounts, or to check balance and transaction history. The scripts are poorly written. There is no input validity checking and no user authentication. Access to database is with a root account. Existing users have weak passwords too.

The task of the Blue team is to fix this installation so that it is more secure. Any approach is OK to use but you must keep DB schema unchanged. You can reinstall MySql, change user account passwords (but you must keep existing users), change PHP code, etc.

The Blue team should also develop a monitoring program for the gateway machine and for the server so that they can quickly spot if the Red team launches denial-of-service and so that they can defend from it. One way to defend from it is to implement some filtering at the gateway machine via iptables.

Make sure you understand how iptables command works before you use it as you may cut off your access to a given machine in DeterLab if you filter out some specific traffic to/from it, e.g., all outgoing traffic. The only way to recover from this is to reboot the machine using Web portal for DeterLab. Click on your Experiment, then click on the machine's name in the Node List (e.g., pc133) and then choose "Reboot node" from the top left menu. It usually takes 5-10 minutes for the machine to come up again.

The goal of the Blue team is to keep accounts of existing users intact, to ensure correct operation of the program (e.g., one cannot withdraw money from an account with a zero balance), and to keep the server up and running. If the server gets compromised or attacked, the Blue team should strive to bring it back up quickly and to patch it.

When developing and practicing swap in an experiment using /share/education/SecureServer_USC/cctf.ns file. Then on the server machine run /share/education/SecureServer_USC/install_server (type "rootmysql" during MySql installation). This will lead to the identical setup as the one during SecureServer exercise.

Assumptions and Requirements

You can borrow code from online sources but you need to understand what it does and how.

Milestones

Here are some milestones that your team must reach BEFORE the exercise.

  1. Patch the vulnerabilities on the server machine so that it is not vulnerable to SQL injection and malformed requests or requests that would lead DB into inconsistent state are detected and replied to with an error message.
  2. Develop logging at the server that will let you automatically check if DB is in consistent state
  3. Develop monitoring software on the gateway machine that will let you automatically check if server getting slow
  4. Extend your monitoring software so you can automatically get statistics on number of packets and bytes sent to the server in TCP data, TCP SYN, UDP and ICMP and Total categories so you can diagnose various DDoS attacks. Make sure the software monitors the correct interface.
  5. Extend your monitoring software so you can detect number of packets and bytes sent to the server by each client IP. Make sure the software monitors the correct interface.
  6. Learn how you would write rules for iptables to filter traffic with some characteristics, e.g., by protocol, sender IP, length, TCP flags, etc. You may need to write those rules manually during the exercise but make sure you have tried to write them while preparing for the exercise and that they work correctly. You can check correctness by generating attack traffic with some signature (e.g., packet length, sender IP, protocol, etc.), writing a rule to filter it and checking that that traffic is dropped. You can check for drops in two ways. First, you could run your monitoring software on the interface leading to the server. Second, you could use an option with iptables that lets you see counts of times a rule was matched. It may be advisable to try both methods for measuring correctness as the first measures what goes to the server and the second shows you that the rule was activated by attack traffic.
Tasks 1, 2, 3 can be done in parallel and tasks 4, 5 and 6 must be done in sequence.

Red Team Tasks

The Red Team will have control over the three client machines. They should program one of those to send only legitimate traffic, and two can be used for various attacks. Since responses to this traffic will be used to evaluate if the server is running, requests must come with at least 1 request per second frequency.

The goal of the Red Team is to succeed in as many of the following attacks as possible:

  1. Corrupt the DB accounts of the existing users,
  2. Lead the server program into unexpected behavior (e.g., withdraw money that does not exist in an account, corrupt the DB, etc.)
  3. Bring down the server (either through compromise or through denial of service).
Any attack is allowed, even breaking Blue team's passwords.

When developing and practicing swap in an experiment using /share/education/SecureServer_USC/cctf.ns file. Then on the server machine run /share/education/SecureServer_USC/install_server (type "rootmysql" during MySql installation). This will lead to the identical setup as the one during SecureServer exercise.

Assumptions and Requirements

You can borrow code from online sources but you need to understand what it does and how.

Milestones

Here are some milestones that your team must reach BEFORE the exercise.

  1. Develop attacks that may lead the server into inconsistent state, without using SQL injection.
  2. Develop SQL injection attacks.
  3. Develop attacks that may crash the server because they require it to process too many requests or because requests are malformed.
  4. Develop attacks that flood the link between the gateway and the server. It may be advisable to use raw sockets here to craft packets. It may also be advisable to parameterize attack software so that you can easily change spoofing technique, if any, packet type, packet length, etc.
  5. Test ALL your attacks and make sure they do work against vanilla server given to you in the assignment. Then test them against your hardened server. Then iterate between trying to handle those that work against your server and trying to craft new attacks that will bring that even more hardened server down.
Tasks 1, 2, 3 and 4 can be done in parallel.

Scoring

The Blue Team receives a point for each message that the server processes and sends a reply for (this could be an error message if the client request was found to be invalid). Conversely the Red Team scores a point for each message that the server cannot process. The Blue Team will also score points for each correct processing of a message, and for incorrect operation points will go to the Red Team. All messages and all replies will be logged at the server by your teacher.

Exercise Dynamics

Teams will need to simultaneously act as Blue Team and Red Team throughout the 2h exercise. We will then have a 10 min break followed by a post-mortem discussion and selection of a winning team.

Grading

Each team member will be graded based on their contribution to the team effort, not based on the team's performance. After the exercise each team member will submit a report containing the list of contributions they made to the team effort - e.g., modules that they coded, testing and setup they performed, etc. All team members must sign each report. Reports will be delivered to the instructor in class on . The grades will be assigned based on the report.

Useful Links

You can use any programming language you like for any part of your assignment.
  1. You can use netcat to send packets in a DDoS attack. To install do apt-get install netcat. Also see netcat manual
  2. You can use tcpdump to record network traffic. You can develop your own scripts to analyze it.
  3. You can also look at Web server logs at /var/log/apache2
Questions & Comments: Prof. Mirkovic at USC-ISI (sunshine at isi.edu)