CCDC FAQ

Here is a FAQ from the CCDC website that may answer questions you may have and provide information about the event:

Q: Are we allowed to use “active” response mechanisms like automatic TCP resets in Snort?

A: Absolutely – that’s up to your team. But bear in mind any issues related to the scoring engine and your team’s use of automatic response mechanisms are your responsibility. In other words, if your response mechanism blocks the activity of the scoring engine you will lose points.

Q: Will we know when our services are considered to be down?

A: The white team will provide a very simple website that shows the status of each of your core services during the last status check. Each team will have their own password-protected page and only the data from the last service check will be shown. Additionally, teams will be notified directly when a SLA violation occurs (see below for more information on SLAs).

Q: Will there be any e-commerce sites or custom applications that require a code review?

A: There will be an e-commerce portal running on a web server with a database backend. It's a semi-standard application but it would be useful to have at least a basic knowledge of HTML and SQL.

Q: Will the team have available a network connection in the main switch, outside the team's subnet (so we can scan to see what our network looks like from the outside)?

A: Unfortunately no, but we will have a web-based port scanner available that will scan back any IP address you visit it from.

Q: “The rules say “free tools only”. Can we use tools from Microsoft or any other vendor (non open source) that are available on their web site for public download?”

A: The intent was to limit the use of commercial tools or the ability of one team to “buy” an advantage by using commercial products, not to limit things to open source tools only. The only tool restrictions are either the tool must be “free” ie open source or available to anyone for download for free (so every team would have a chance to obtain it) or it must have been written by one of the team members (for example, if you had a team member that wrote a really good log parser in Perl).

Q: Are blank CDs allowed?

A: No. We will be providing teams with a limited number of blanks CDs and a USB flash drive for file transfer usage. Teams are not allowed to bring any media into the contest area including personal flash drives, floppies, CDs, DVDs, etc.

Q: Is this one continuous contest? Or is it 3 separate runs with different scenarios / networks?

A: It's one continuous contest broken up over 3 time periods. Final scores will be cumulative for all 3 sessions. There will be different scenarios/events/injects but they will all involve the same network.

Q: Can we bring our own system or networking device?

A: No. Teams may not bring any computer, laptop, external drive, networking device, tablet, PDA, etc… into the competition area. Teams may bring personal MP3 players provided they are not connected to competition systems at any time. Connecting any unauthorized device to the competition network will result in a disqualification of that team.

Q: How many boxes will actually be there on our networks?

A: Initial network details will be provided in the team packet.

Q: What kind of food is allowed in the room?

A: No drinks or food will be allowed in the team rooms. We will have a break area a short distance from the team rooms where we will provide drinks and snacks to the competitors.

Q: What happens if hardware fails during the competition?

A: That really depends on the failure. We will have some spares, but they are limited. Worst case scenario if one team loses a particular system everyone will lose that same system and we will adjust scoring to compensate.

Q: What specific applications and operating systems will we be using again?

A: While we don't want to spoil things by providing exact versions, we can provide the following list of applications and operating systems that might appear in the competition networks:

Operating Systems Applications

Windows 2003

IIS

Windows 2000 Server and Professional

MySQL

Windows XP Professional

BIND / MS-DNS

Windows Vista

Sendmail/ Exchange / qmail

Various BSD Distributions

Apache

Various Linux Distributions

Samba

Solaris

OpenSSL

Windows 2008

SSH

Windows 7

Microsoft Office

Active Directory

Q: What OS and application disks will you be providing for the teams and what can we bring with us?

A: Each team will be provided with access to the basic operating systems that are in the provided environment. For example, if a system is running Windows 2003 in the environment there will be a Windows 2003 ISO available for each team. Any commercial security applications distributed for the competition will also be available via download for each team. Teams should not bring any software, operating systems, or tools with them to the competition. Free operating systems, tools, and applications may be downloaded during the competition.

Q: Can the team choose to support the network completely in a UNIX environment or a Windows environment, or must the network be “mixed” Operating Systems?

A: There is no requirement to maintain a “mixed” environment. Teams will be penalized for downtime and lost functionality not OS or application choice but teams must replicate the operational capabilities/functions of the original environment including all existing files, emails, web pages, etc.

Q: So how does this downtime thing work? Is there any penalty for extended downtime?

A: Teams are given points for each successful service check performed. For each failed service check they will receive no points. Each of the services has an attached Service Level Agreement (SLA) so the longer services are “down” or nonfunctional the more serious the situation becomes (as it would in any operational environment). In this competition we will deduct points from a team’s score for extended downtime.

Q: Will there be other scanning activity or “noise” on the networks?

A: Yes. Where possible we are trying to simulate “normal” network activity so not all the scanning traffic will be from the red team and not all the email, HTTP, DNS traffic will be from the scoring engine. We will be using traffic generators.

Q: Are you just checking to see if ports are open or will you actually be testing the services?

A: Both. We will check for basic connectivity as well as functionality. For example, if we attempt to deliver an email we may attempt to send it using one user account and then check to ensure it was received by a different user. For web pages, we will be polling and comparing content.

Q: Are the central infrastructure items valid red team targets (global DNS, etc…)?

A: No. The red team will not examine/assess any of the central infrastructure items.

Q: Can we change passwords?

A: Yes, but remember just like the corporate world if you change a user’s password you must notify the user. In this case if you change the password for any user account you must inform the white team prior to any password change and provide the account name, new password, when it is being changed, etc… Failure to notify the white team in a prompt manner could lead to the failure of service checks and a loss of points.

Q: Can we bring books/reference materials with us?

A: Absolutely. Bring any books, handouts, notebooks, etc. that you would feel would be helpful.

Q: Should we bring pens and paper?

A: Yes. Feel free to bring in pens, highlighters, blank notebooks, etc.

Q: Are the systems going to be working when we get access to them?

A: Yes, all the systems will be running and “functional” meaning they will be working and will be responding to the scoring checks – this is an operational network. That does not mean they will all be perfectly configured. Or even intelligently configured.

Q: Will we have a KVM and a single monitor, or will we have a monitor for every machine?

A: Some servers will be connected to a KVM but many will have their own monitor.

Q: Will the competition systems be connected to the Internet?

A: Yes and no – the actual team networks will not be directly connected to the Internet. Each team will be able to route out of the central network where they can download software, patches, Google, etc. WARNING All Internet traffic is monitored for rule violations and inappropriate content. So you will be able to access the Internet from your team systems but will be going through a proxy and central firewall.

Q: For the “business tasks”/injects, if our team is able to suggest a more secure alternative that meets the same objective, and doesn't require a CS degree to carry out (ie its easy for a mgmt type), can we substitute that alternative and still receive full credit?

A: The business tasks will be similar to business tasks you may receive in a corporate environment – you’ll be asked to provide a service or a function. If you can come up with a better, faster, more secure way of providing that service or function by all means do so. For example, we may ask you to provide an FTP service with the specific files and accounts - how you support that FTP service and what software you use is up to you.

Q: What IP address will the scoring engine be on?

A: The IP address of the scoring engine changes for each round of service checks.

Q: Does the scoring engine just check availability of services?

A: No – the scoring engine will be checking functionality as well so it’s not enough to have something “listening” to a specific port. The scoring engine will check to make sure a web server exists and is actually providing the correct content, a mail server actually sends and receives mail, a DNS server responds to queries, etc.

Q: Will DoS attacks be used?

A: We will allow the red team limited use of DoS attacks if it permits a secondary exploitation; however use will be extremely limited. No network flooding attacks will be used.

Q: Will we get copies of the traffic logs?

A: The National CCDC will be recording all traffic going through the master switch – this includes traffic to/from the red team. These logs will be made available to all participating teams upon request after the competition.

Q: Will the red team be attacking any of the global resources?

A: No – the red team will not be attacking any of the global resources. They will only be examining team systems.