Preventing Traffic Fingerprinting in Attack/Defense Capture the Flag Competitions
Traffic fingerprinting is a notorious issue in attack/defense Capture The Flag (CTF) competitions. In those, teams attack each other’s machines in a (virtual) network, while checkers provided by the organizers validate availability and functionality of the machines. To ensure a fair contest, it should not be possible for competitors to filter connections based on their origin, which would allow them to only permit checker traffic and block all other teams.
Subtle differences in the implementations of TCP stacks and HTTP clients could allow distinguishing between traffic from teams and the checkers. A comprehensive implementation of such fingerprinting is available in Michal Zalewski’s p0f tool. The case is even simpler for HTTP, where ordering and values of request headers vary between clients vastly. Ideally, all identifying information is thus removed centrally in the organizers’ infrastructure.
For its past few editions, FAUST CTF has been using HAProxy and iptables TPROXY for that. All TCP and HTTP connections get transparently intercepted, before being forwarded to their original destination. For HTTP, only a limited set of headers is allowed.
The talk will cover the unique requirements that lead to the design of our solution and how HAProxy helps to achieve them. Apart from details of the implementation, lessons learned from successfully running the solution in multiple competitions will be presented.
Here you can view the slides used in this presentation if you’d like a quick overview of what was shown during the talk.
IT Security Engineer, noris network
Felix considers himself a Computer Scientist at the intersection of software development, IT operations, and information security.
He currently works at noris network as IT Security Engineer in an Ops/SRE team delivering core services to the company. Before that, he studied Computer Science at FAU Erlangen-Nürnberg with a focus on IT security, distributed and operating systems, and compiler technology.
He is also part of the infrastructure team for FAUST CTF, one of the major online attack/defense Capture The Flag (CTF) competitions in the field of information security.
Network Engineer, RRZE
Simon is a network engineer at Regionales Rechenzentrum Erlangen, the IT services division of Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU).
He studied computer science at FAU. His interests are IT security, automation and network design.
At FAUST CTF, he is part of the team developing and running the central competition infrastructure.