Sponsored by

Home        What is the CCDC?     How to Participate     How to Sponsor     For Competitors

	Additional Sponsors

 

1. Are we allowed to use “active” response mechanisms like automatic TCP resets in Snort?
   
2. Will we know when our services are considered to be down?
   
3. Will there be any e-commerce sites or custom applications that require a code review?
   
4. Will the team have available a network connection in the main switch, outside the team's subnet (so we can scan to see what our network looks like from the outside)?
   
5. The rules say "free tools only". Can we use tools from Microsoft or any other vendor (non open source) that are available on their web site for public download?
6. Are blank CDs allowed?
   
7. Is this one continuous contest? Or is it 3 separate runs with different scenarios / networks?
   
8. Can we bring our own system or networking device?
   
9. How much documentation is desired by the White Team (for incident reports, for example)? Any specific format?
   
10. How many boxes will actually be there? What will the topology be?
    
11. What kind of food is allowed in the room?
    
12. What happens if hardware fails during the competition?
    
13. What specific applications and operating systems will we be using again?
    
14. What OS and application disks will you be providing for the teams and what can we bring with us?
    
15. Can the team choose to support the network completely in a UNIX environment or a Windows environment, or must the network be "mixed" Operating Systems?
    
16. So how does this downtime thing work? Is there any penalty for extended downtime?
    
17. Will there be other scanning activity or “noise” on the networks?
    
18. Are you just checking to see if ports are open or will you actually be testing the services?
    
19. Are the central infrastructure items valid red team targets (global DNS, etc…)?
    
20. Can we change passwords?
    
21. Can we bring books/reference materials with us?
    
22. Should we bring pens and paper?
    
23. Are the systems going to be working when we get access to them?
    
24. Will we have a KVM and a single monitor, or will we have a monitor for every machine?
    
25. Will the competition systems be connected to the Internet?
    
26. For the "business tasks"/injects, if our team is able to suggest a more secure alternative that meets the same objective, and doesn't require a CS degree to carry out (ie its easy for a mgmt type), can we substitute that alternative and still receive full credit?
    
27. What IP address will the scoring engine be on?
    
28. Does the scoring engine just check availability of services?
    
29. Will DoS attacks be used?
    
30. Will we get copies of the traffic logs?
    
31. Will the red team be attacking any of the global resources?
32. Will the red team be provided network / system information by the operations team?
    

Q: Are we allowed to use “active” response mechanisms like automatic TCP resets in Snort?
A: Absolutely – that’s up to your team. But bear in mind any issues related to the scoring engine and your team’s use of automatic response mechanisms are your responsibility. In other words, if your response mechanism blocks the activity of the scoring engine you will lose points.

Q: Will we know when our services are considered to be down?
A: The white team will provide a very simple website that shows the status of each of your core services during the last status check. Each team will have their own password-protected page and only the data from the last service check will be shown. Additionally, teams will be notified directly when a SLA violation occurs (see below for more information on SLAs).

Q: Will there be any e-commerce sites or custom applications that require a code review?
A: There will be an e-commerce portal running on a web server with a database backend. It's a semi-standard application but it would be useful to have at least a basic knowledge of HTML and SQL.

Q: Will the team have available a network connection in the main switch, outside the team's subnet (so we can scan to see what our network looks like from the outside)?
A: Unfortunately no, but we will have a web-based port scanner available that will scan back any IP address you visit it from.

Q: The rules say "free tools only".  Can we use tools from Microsoft or any other vendor (non open source) that are available on their web site for public download?
A: The intent was to limit the use of commercial tools or the ability of one team to "buy" an advantage by using commercial products, not to limit things to open source tools only. The only tool restrictions are either the tool must be "free" ie open source or available to anyone for download for free (so every team would have a chance to obtain it) or it must have been written by one of the team members (for example, if you had a team member that wrote a really good log parser in Perl).

Q: Are blank CDs allowed?
A: No. We will be providing teams with a limited number of blanks CDs and a USB flash drive for file transfer usage. Teams are not allowed to bring any media into the contest area including personal flash drives, floppies, CDs, DVDs, etc.

Q: Is this one continuous contest? Or is it 3 separate runs with different scenarios / networks?
A: It's one continuous contest broken up over 3 time periods. Final scores will be cumulative for all 3 sessions. There will be different scenarios/events/injects but they will all involve the same network.

Q: Can we bring our own system or networking device?
A: No. Teams may not bring any computer, laptop, external drive, networking device, tablet, PDA, cell phone, MP3 player, etc… into the competition area. Connecting any unauthorized device to the competition network, or bringing any illegal device into the competition room, will result in a disqualification of that team.

Q: How much documentation is desired by the White Team (for incident reports, for example)? Any specific format?
A: We're not really requiring a specific format - we want each team to develop their own reporting form/format as they would in a business environment.  At a minimum, incident reports must contain a description of what occurred (including source and destination IP addresses, timelines of activity, passwords cracked, etc), a discussion of what was affected, and a remediation plan.

Q: How many boxes will actually be there? What will the topology be?
A: Initial network details will be provided in the team packet.

Q: What kind of food is allowed in the room?
A: No drinks or food will be allowed in the team rooms. We will have a break area a short distance from the team rooms where we will provide drinks and snacks to the competitors.

Q: What happens if hardware fails during the competition?
A: That really depends on the failure. We will have some spares, but they are limited. Worst case scenario if one team loses a particular system everyone will lose that same system and we will adjust scoring to compensate.

Q: What specific applications and operating systems will we be using again?
A: While we don't want to spoil things by providing exact versions, we can provide the following list of applications and operating systems that might appear in the competition networks:

Q: What OS and application disks will you be providing for the teams and what can we bring with us?
A: Each team will be provided with the basic operating system install disks that are in the provided environment. For example, if a system is running Windows 2003 in the environment there will be a Windows 2003 install disk available for each team. Any commercial security applications distributed for the competition will also be available on disk for each team. In addition, a DVD with a complete image of the disk of each machine will be available for disaster recovery. Teams must not bring any software, operating systems, or tools with them to the competition.  Free operating systems, tools, and applications may be downloaded during the competition.

Q: Can the team choose to support the network completely in a UNIX environment or a Windows environment, or must the network be "mixed" Operating Systems?
A: There is no requirement to maintain a "mixed" environment. Teams will be penalized for downtime and lost functionality not OS or application choice but teams must replicate the operational capabilities/functions of the original environment including all existing files, emails, web pages, etc.

Q: So how does this downtime thing work? Is there any penalty for extended downtime?
A: Teams are given points for each successful service check performed. For each failed service check they will receive no points. Each of the services has an attached Service Level Agreement (SLA) so the longer services are “down” or nonfunctional the more serious the situation becomes (as it would in any operational environment). In this competition we will deduct points from a team’s score for extended downtime per the SLA below:

So if your web service is continuously down or unavailable for two hours your team will have a total of 60 points deducted from your score.

Q: Will there be other scanning activity or “noise” on the networks?
A: Yes. Where possible we are trying to simulate “normal” network activity so not all the scanning traffic will be from the red team and not all the email, HTTP, DNS traffic will be from the scoring engine. We will be using traffic generators.

Q: Are you just checking to see if ports are open or will you actually be testing the services?
A: Both. We will check for basic connectivity as well as functionality. For example, if we attempt to deliver an email we may attempt to send it using one user account and then check to ensure it was received by a different user. For web pages, we will be polling and comparing content.

Q: Are the central infrastructure items valid red team targets (global DNS, etc…)?
A: No. The red team will not examine/assess any of the central infrastructure items.

Q: Can we change passwords?
A: Yes, but remember just like the corporate world if you change a user’s password you must notify the user. In this case if you change the password for any user account you must inform the white team prior to any password change and provide the account name, new password, when it is being changed, etc… Failure to notify the white team in a prompt manner could lead to the failure of service checks and a loss of points.

Q: Can we bring books/reference materials with us?
A: Absolutely. Bring any books, handouts, notebooks, etc. that you would feel would be helpful.

Q: Should we bring pens and paper?
A: Yes. Feel free to bring in pens, highlighters, blank notebooks, etc.

Q: Are the systems going to be working when we get access to them?
A: Yes, all the systems will be running and “functional” meaning they will be working and will be responding to the scoring checks – this is an operational network. That does not mean they will all be perfectly configured.

Q: Will we have a KVM and a single monitor, or will we have a monitor for every machine?
A: No. For the regional competition, there will be no KVMs. Each system will have its own monitor.

Q: Will the competition systems be connected to the Internet?
A: Yes and no – the actual team networks will not be directly connected to the Internet. Each team will be able to route out of the central network where they can download software, patches, Google, etc. WARNING All Internet traffic is monitored for rule violations and inappropriate content.

Q: For the "business tasks"/injects, if our team is able to suggest a more secure alternative that meets the same objective, and doesn't require a CS degree to carry out (ie its easy for a mgmt type), can we substitute that alternative and still receive full credit?
A: The business tasks will be similar to business tasks you may receive in a corporate environment – you’ll be asked to provide a service or a function. If you can come up with a better, faster, more secure way of providing that service or function by all means do so. For example, we going to ask you to provide an FTP service with the following files and accounts - how you support that FTP service and what software you use is up to you.

Q: What IP address will the scoring engine be on?
A: The IP address of the scoring engine will change periodically throughout the competition.

Q: Does the scoring engine just check availability of services?
A: No – the scoring engine will be checking functionality as well so it’s not enough to have something “listening” to a specific port. The scoring engine will check to make sure a web server exists and is actually providing the correct content, a mail server actually sends and receives mail, a DNS server responds to queries, etc.

Q: Will DoS attacks be used?
A: We will allow the red team limited use of DoS attacks if it permits a secondary exploitation; however use will be extremely limited.  No network flooding attacks will be used.

Q: Will we get copies of the traffic logs?
A: The National CCDC will be recording all traffic going through the master switch – this includes traffic to/from the red team. These logs will be made available to all participating teams upon request after the competition.

Q: Will the red team be attacking any of the global resources?
A: No – the red team will not be attacking any of the global resources. They will only be examining team systems.

Q: Will the red team be provided network / system information by the operations team?
A: No – the red team will not be provided any network or system information before the competition begins. They will have to examine the systems as an outside attacker with no internal information. Once the red team arrives on site they will be given a set of rules and guidelines, their IP ranges, a list of target subnets, and that's about it.