More on the organizor
Last updated on 06.11.10 20:24
Frequently Answered Questions
the main rules can be found on this web page
FAQ and clarifications
- Does the use of automated tools include software like nessus, nmap and hydra?
In a way: yes. But then you'll probably don't need them anyway (see point 3 below). In the
rare opportunities where you might find them useful, you can apply them
in your local network without any restrictions but you shoudln't use
them extensively on other team's network. If you do, limit their
bandwidth and aggresiveness so that you don't DoS other parties or the
VPN-server (as it's the routing bottleneck).
A rule of thumb(!) is, that you may use them as long as you don't start
more than 10 TCP/Connections per second and don't waste the VPN-server's
bandwidth (bottleneck), i.e. try to use less than 1MBit/s for scanning
and such. But again: you'll most probably don't need scanning because
experience says that hacking into other team's workstations and routers
is typically impossible unless you own an unpublished zero-day exploit.
In addition, hacking into those machines doesn't get awarded with
scores. Anyway, you're free to do that if you want to.
- Is password cracking allowed?
- Will there be standard applications or custom for the competition?
Completly custom. That's why you probably don't need nessus and such anyway.
- Will the source code be provided so that our programmer can apply patches as needed?
For most service there will be source code available. But it's
possible that there will be minor number of challenges without source
- Will it be ethically wrong to utilize google for this competition?
Not at all.
- Can we attack the workstations of the other team's users? Can these machines be
Workstations can be firewalled, that's no problem. You may also attack
other team's workstations - but these actions are not scored ;-)
- Can we do Layer 7 filtering (watching for buffer
overflows for example) and then using the L7 NetFilter plugin to filter
related attacks? Or do we have to do this without any sort of filtering on
In contrast to former CTF events, we do not allow L7-Filtering any more.
In fact, any kind of filtering that is not done in the applications themselves
is considered against the rules.
- So, how about filtering at all?
ANY kind of context based checks are against the rules - that goes also for
any other information provided in IP, TCP, or if that matters,
Or more generally speaking: any filtering that tries to distinct between
players and gameserver is against the rules, as are filters that work on
OS- or network level. Filtering is only allowed either in the
application themselves - and only if
it filters for "attack"/"non attack".
- Can the kernel be recompiled with the openwall or grsec security patches
in place... patching that would limit/prevent buffer overflows?
Recompiling the kernel is allowed. BUT: patches that would
limit/prevent buffer overflows are not allowed. Remember that the exercise is about
application layer security and not about creating an OS that works around
Note however, that all kernel level measures that are active due to our
configuration are considered OK.