Traffic fingerprinting is a notorious issue in attack/defense Capture The Flag (CTF) competitions. In those, teams attack each other’s machines in a (virtual) network, while checkers provided by the organizers validate availability and functionality of the machines. To ensure a fair contest, it should not be possible for competitors to filter connections based on their origin, which would allow them to only permit checker traffic and block all other teams.
Subtle differences in the implementations of TCP stacks and HTTP clients could allow distinguishing between traffic from teams and the checkers. A comprehensive implementation of such fingerprinting is available in Michal Zalewski’s p0f tool. The case is even simpler for HTTP, where ordering and values of request headers vary between clients vastly. Ideally, all identifying information is thus removed centrally in the organizers’ infrastructure.
For its past few editions, FAUST CTF has been using HAProxy and iptables TPROXY for that. All TCP and HTTP connections get transparently intercepted, before being forwarded to their original destination. For HTTP, only a limited set of headers is allowed.
The talk will cover the unique requirements that lead to the design of our solution and how HAProxy helps to achieve them. Apart from details of the implementation, lessons learned from successfully running the solution in multiple competitions will be presented.
Here you can view the slides used in this presentation if you’d like a quick overview of what was shown during the talk.