Announcement

Collapse
No announcement yet.

Defender DoS and Don'ts

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Defender DoS and Don'ts

    Okay, so people have been asking about countermeasures a bit.

    As I've said I think with so much to gain for attackers, it's really hard to be anal about what defenders can do beyond enforcing the basic concept that there is a GPG keypair somewhere on the box, at least two services, and some kind of authenticated access on day two.

    Just the same, the ever-resourceful DefCon community has come up with some wacky shit, so let me say what you can't do.

    • DoS the WiFi or contest LAN as a whole
    • Lie about the preshared credentials or lock the accounts
    • Anything that would disrupt defender <> attacker traffic other than your own


    Beyond that, have fun. A few people are talking about "counterhack" kind of stuff. I dunno, I would hope that an attacker plugged into the DC network wouldn't have any kind of obvious, scriptable remote vulns on their laptop, but, hey, you never know.

    You can definitely:

    • Firewall / intercept / null-route attack traffic as detected
    • Log off specific IPs when they do bad stuff
    • bounce people into tarpits / honeypots / etc
    • spoof services, use VMs, impersonation, etc


    On VMs, the approach proposed by dYn4mic seems best. A fragment of the keypair on each VM, and the full keypair on the hypervisor / host. So owning all VMs, or owning the hypervisor, constitutes compromise.

    This is kind of a FAQ-like entry, but I wanted a specific thread on countermeasures, because I'm interested in what folks are cooking up. You're entitled to the element of suprise, too, of course.

    I personally will be non-obscure... All my shells (for my non-sacrificial entries) will be BBS door games and InfoCom games wrapped in a MAC technology yet to be disclosed. I may be generous and put the keys inside a game at the end of one, just for fun.
    "Raise a toast to ... I think he might have been our only decent ."

  • #2
    Re: Defender DoS and Don'ts

    Originally posted by sk00t View Post
    Okay, so people have been asking about countermeasures a bit.
    [....snip....]
    I personally will be non-obscure... All my shells (for my non-sacrificial entries) will be BBS door games and InfoCom games wrapped in a MAC technology yet to be disclosed.
    Heh, that is a very cool/fun idea.

    I don't think there is much room for a "counterattack" in this contest. The best defense isn't always a good offense.
    If services start refusing to accept new connections to "bad" ip's, and attackers continually request new ones... I hope the DHCP pool will be large enough heh.
    The only constant in the universe is change itself

    Comment


    • #3
      Re: Defender DoS and Don'ts

      Originally posted by dYn4mic View Post
      Heh, that is a very cool/fun idea.

      I don't think there is much room for a "counterattack" in this contest. The best defense isn't always a good offense.
      If services start refusing to accept new connections to "bad" ip's, and attackers continually request new ones... I hope the DHCP pool will be large enough heh.
      Yeah, I'm really hoping we don't break the network. Lock, Heather et al are very good at what they do, so I have no doubt they will be on top of it, and are very much aware of what we're up to.

      I like the idea of the boxes on the WiFi but now that I think about I haven't personally used it for years.

      I think depending on how much room I have I might go ahead and bring a second switch for the contest area so folks who are interested can cable in directly. This way if folks are really into things they can hit the boxes over wired LAN as well.
      "Raise a toast to ... I think he might have been our only decent ."

      Comment


      • #4
        Re: Defender DoS and Don'ts

        Originally posted by sk00t View Post
        Yeah, I'm really hoping we don't break the network. Lock, Heather et al are very good at what they do, so I have no doubt they will be on top of it, and are very much aware of what we're up to.
        I'm sure they will be able to handle it. They have built the DC-Network for a while. I don't think that anyone can bring their network down. :)

        I like the idea of the boxes on the WiFi but now that I think about I haven't personally used it for years.
        I think being able to access the boxes through the WiFi gives the contest a whole new dimension. With the wired down cables we would have hundreds of attacks. With the WiFi there will be tenths of thousands. Also it will be possible to "participate" while listening to some speech.
        "You have successfully out-nerded all of Full Disclosure. I commend your total commitment to being an awkward social outcast." Some guy on FD

        Comment

        Working...
        X