→ Codegate Quals - Network 200

| No TrackBacks
In this problem a team is expected to find top 4 victims of DDoS attack logged in pcap file (73992 entries). Bare wireshark is not that effective in finding top victims, so we wrote some filtering script to produce a kind of overview through the pcap file. Quick and dirty script, which will print all IPs sorted by the number of packets sent to:
use Net::Pcap::Easy;
use Geo::IPfree;

my (%to,%from);

my $gi = Geo::IPfree->new;
my $npe = Net::Pcap::Easy->new(
        dev => "file:./A565CF2670A7D77603136B69BF93EA45.cap",
        default_callback => sub {
                my ($npe, $ether, $ip) = ($_[0],$_[1],$_[2]);
                return 0 unless $ip;
                $to{$ip->{dest_ip}}++; # if $ip->{src_ip} eq '1.2.3.4';
                $from{$ip->{src_ip}}++; # if $ip->{dest_ip} eq '1.2.3.4';
        },
);

1 while $npe->loop;

map{
        print "$_ >$to{$_} <$from{$_}\t# ".($gi->LookUp($_))[1]."\n"
   }sort{
        $to{$b}<=>$to{$a}
   }keys %to;
This script produces output like this
111.221.70.11 >52620 <  # Singapore
1.2.3.4 >12670 <8690    # Australia
109.123.118.42 >2960 <5325      # United Kingdom
174.35.40.44 >637 <1142 # United States
220.73.139.203 >452 <650        # Korea, Republic of
123.214.170.56 >375 <713        # Korea, Republic of
199.7.48.190 >311 <304  # United States
220.73.139.201 >280 <407        # Korea, Republic of
8.8.8.8 >248 <248       # United States
74.125.71.94 >208 <180  # United States
...
Obviously 111.221.70.11 is DoSed with spoofed IPs: 52620 packets sent and none received. It can easily be confirmed in wireshark. Next, 1.2.3.4 is the infected machine, since it is communicates with all other hosts. Next, 109.123.118.42 is a potential target, because of the big disproportion in sent/received ratio. So, that's it for now. Switch to wireshark and try to find RUDY: "http.content_length_header > 10000", 199.7.48.190 seems suspicious. After confirmation you can see that it is RUDY (POST request with a very big Content-Length). To find Slowloris we need to modify the above perl script slightly to find unusual http headers. You might want to prefilter pcap-file by "http.request" in wireshark and save it as. Then modify default_callback with
(split "\n\n",$_[3])[0]=~/X-(\w+)/&&print $1
and you'll see all the unusual headers. In this case there were no Slowloris attack though. Then we decided to go manually through the list of victims from the top. We found the last victim: 66.150.14.48 from United States is attacked with RST flood. Answer format is COUNTRY_NAME_TOP1(3)COUNTRY_NAME_TOP2(13)COUNTRY_NAME_TOP3(2)COUNTRY_NAME_TOP4(5)_1.1.1.1_2.2.2.2_3.3.3.3_4.4.4.4, so the correct answer is: none_111.221.70.11_109.123.118.42_199.7.48.190_66.150.14.48

No TrackBacks

TrackBack URL: http://smokedchicken.org/m/mt-tb.cgi/69

About this Entry

This page contains a single entry by 盗賊 published on February 28, 2012 6:23 AM.

Codegate Quals - Forensic 200 was the previous entry in this blog.

ructf2012 - Reverse300 $1/\/\PL3 is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.