Rules and FAQ's

We are encouraging questions and comments on the rules and team packets. Please email any questions or comments to Dwayne Williams (Dwayne.Williams@utsa.edu). As questions are answered the FAQ will be updated.

2006 CCDC Team Packet in MS Word can be found here

Frequently Asked Questions
(Updated on 03/15/2006)

1. Are we allowed to use “active” response mechanisms like automatic TCP resets in Snort?
   
2. Will we know when our services are considered to be down?
   
3. Will there be any e-commerce sites or custom applications that require a code review?
   
4. Will the team have available a network connection in the main switch, outside the team's subnet (so we can scan to see what our networklooks like from the outside)?
   
5. The rules initially said "open source tools only" but now just say "free."
   
6. Are blank CDs allowed?
   
7. Is this one continuous contest? Or is it 3 separate runs with different scenarios / networks?
   
8. Can we bring our own system or networking device?
   
9. How much documentation is desired by the White Team (for incident reports, for example)? Any specific format?
   
10. How many boxes will actually be there? Will it be set up as in the layout on Page 5?
    
11. What kind of food is allowed in the room?
    
12. What happens if hardware fails during the competition?
    
13. What specific applications and operating systems will we be using again?
    
14. What OS and application disks will you be providing for the teams and what can we bring with us?
    
15. Can the team choose to support the network completely in a UNIX environment or a Windows environment, or must the network be "mixed" Operating Systems?
    
16. So how does this downtime thing work? Is there any penalty for extended downtime?
    
17. Will there be other scanning activity or “noise” on the networks?
    
18. Are you just checking to see if ports are open or will you actually be testing the services?
    
19. Are the central infrastructure items valid red team targets (global DNS, etc…)?
    
20. Can we change passwords?
    
21. Can we bring books/reference materials with us?
    
22. Should we bring pens and paper?
    
23. Are the systems going to be working when we get access to them?
    
24. Will we have a KVM and a single monitor, or will we have a monitor for every machine?
    
25. Will the competition systems be connected to the Internet?
    
26. For the "business tasks"/injects, if our team is able to suggest a more secure alternative that meets the same objective, and doesn't require a CS degree to carry out (ie its easy for a mgmt type), can we substitute that alternative and still receive full credit?
    
27. What IP address will the scoring engine be on?
    
28. Does the scoring engine just check availability of services?
    
29. Will DoS attacks be used?
    
30. Will we get copies of the traffic logs?
    
31. Will the red team be attacking any of the global resources?
    

Q: Are we allowed to use “active” response mechanisms like automatic TCP resets in Snort?
A: Absolutely – that’s up to your team. But bear in mind any issues related to the scoring engine and your team’s use of automatic response mechanisms are your responsibility. In other words, if your response mechanism blocks the activity of the scoring engine you will lose points.

Q: Will we know when our services are considered to be down?
A: The white team will provide a very simple website that shows the status of each of your core services during the last status check. Each team will have their own password-protected page and only the data from the last service check will be shown. Additionally, teams will be notified directly when a SLA violation occurs (see below for more information on SLAs).

Q: Will there be any e-commerce sites or custom applications that require a code review?
A: There will be an e-commerce portal running on a web server with a database backend. It's a semi-standard application but it would be useful to have at least a basic knowledge of HTML and SQL.

Q: Will the team have available a network connection in the main switch, outside the team's subnet (so we can scan to see what our network looks like from the outside)?
A: Unfortunately no, but we will have a web-based port scanner available that will scan back any IP address you visit it from.

Q: The rules initially said "open source tools only" but now just say "free." Specifically, can we use tools from Microsoft (non open source) that are available on their web site for public download?
A: The intent was to limit the use of commercial tools or the ability of one team to "buy" an advantage by using commercial products, not to limit things to open source tools only. The only tool restrictions are either the tool must be "free" ie open source or available to anyone for download for free (so every team would have a chance to obtain it) or it must have been written by one of the team members (for example, if you had a team member that wrote a really good log parser in Perl).

Q: Are blank CDs allowed?
A: No. We will be providing teams with a limited number of blanks CDs and a 1GB USB drive for file transfer usage. Teams are not allowed to bring any media into the contest area including personal flash drives, floppies, CDs, DVDs, etc. Operating system installation disks are allowed only after they have been inspected and cleared by the white team.

Q: Is this one continuous contest? Or is it 3 separate runs with different scenarios / networks?
A: It's one continuous contest broken up over 3 time periods. Final scores will be cumulative for all 3 sessions. There will be different scenarios/events/injects but they will all involve the same network.

Q: Can we bring our own system or networking device?
A: No. Teams may not bring any computer, laptop, external drive, networking device, tablet, PDA, etc… into the competition area. Teams may bring personal MP3 players provided they are not connected to competition systems at any time. Connecting any unauthorized device to the competition network will result in a disqualification of that team.

Q: How much documentation is desired by the White Team (for incident reports, for example)? Any specific format?
A: We're not really requiring a specific format or amount of information - we want each team to develop their own reporting form/format as they would in a business environment. At a minimum, incident reports should contain details on what occurred, how the incident was discovered, and what has been done or could be done to address the incident.

Q: How many boxes will actually be there? Will it be set up as in the layout on Page 5?
A: The diagram on page 5 of the team packet is a logical depiction of the network. There will be 9 systems that make up the "operational network" along with a bridge and a Cisco switch.

Q: What kind of food is allowed in the room?
A: Technically none - no drinks either. We will have a break area a short distance from the team rooms where we will provide drinks and snacks to the competitors.

Q: What happens if hardware fails during the competition?
A: That really depends on the failure. We will have some spares, but they are limited. Worst case scenario if one team loses a particular system everyone will lose that same system and we will adjust scoring to compensate.

Q: What specific applications and operating systems will we be using again?
A: While we don't want to spoil things by providing exact versions, we can provide the following list of applications and operating systems that will appear in the competition networks:

Q: What OS and application disks will you be providing for the teams and what can we bring with us?
A: Each team will be provided with the basic operating system install disks that are in the provided environment. For example, if a system is running Windows 2003 in the team environment there will be a Windows 2003 install disk available for each team. With respect to applications, please remember that no commercial sniffers, network management, or security tools are permitted - only open source, team developed, or "free" tools. We will allow teams to bring copies of Microsoft Office, Visio, and Project.

Q: Can the team choose to support the network completely in a UNIX environment or a Windows environment, or must the network be "mixed" Operating Systems?
A: There is no requirement to maintain a "mixed" environment. Teams will be penalized for downtime and lost functionality not OS or application choice but teams must replicate the operational capabilities/functions of the original environment including all existing files, emails, web pages, etc.

Q: So how does this downtime thing work? Is there any penalty for extended downtime?
A: Teams are given points for each successful service check performed. For each failed service check they will receive no points. Each of the services has an attached Service Level Agreement (SLA) so the longer services are “down” or nonfunctional the more serious the situation becomes (as it would in any operational environment). In this competition we will deduct points from a team’s score for extended downtime per the SLA below:

So if your web service is continuously down or unavailable for two hours your team will have a total of 60 points deducted from your score.

Q: Will there be other scanning activity or “noise” on the networks?
A: Yes. Where possible we are trying to simulate “normal” network activity so not all the scanning traffic will be from the red team and not all the email, HTTP, DNS traffic will be from the scoring engine. We will be using traffic generators.

Q: Are you just checking to see if ports are open or will you actually be testing the services?
A: Both. We will check for basic connectivity as well as functionality. For example, if we attempt to deliver an email we may attempt to send it using one Grand Chasm user account and then check to ensure it was received by a different Grand Chasm user. For web pages, we will be polling and comparing content.

Q: Are the central infrastructure items valid red team targets (global DNS, etc…)?
A: No. The red team will not examine/assess any of the central infrastructure items.

Q: Can we change passwords?
A: Yes, but remember just like the corporate world if you change a user’s password you must notify the user. In this case if you change the password for any user account you must inform the white team prior to any password change and provide the account name, new password, when it is being changed, etc… Failure to notify the white team in a prompt manner could lead to the failure of service checks and a loss of points.

Q: Can we bring books/reference materials with us?
A: Absolutely. Bring any books, handouts, notebooks, etc. that you would feel would be helpful. You may also load electronic documentation on the system you are bringing to the competition.

Q: Should we bring pens and paper?
A: Yes. Feel free to bring in pens, highlighters, blank notebooks, etc.

Q: Are the systems going to be working when we get access to them?
A: Yes, all the systems will be running and “functional” meaning they will be working and will be responding to the scoring checks – this is an operational network. That does not mean they will all be perfectly configured.

Q: Will we have a KVM and a single monitor, or will we have a monitor for every machine?
A: Some servers will be connected to a KVM but most will have their own monitor.

Q: Will the competition systems be connected to the Internet?
A: No – the actual competition network will not be connected to the Internet. Each team will be provided with an Internet-connected PC running Windows XP Pro where they can download software, patches, Google, etc. The Internet PC can not be connected to the competition network at any time.

Q: For the "business tasks"/injects, if our team is able to suggest a more secure alternative that meets the same objective, and doesn't require a CS degree to carry out (ie its easy for a mgmt type), can we substitute that alternative and still receive full credit?
A: The business tasks will be similar to business tasks you may receive in a corporate environment – you’ll be asked to provide a service or a function. If you can come up with a better, faster, more secure way of providing that service or function by all means do so. For example, we going to ask you to provide an FTP service with the following files and accounts – how you support that FTP service and what software you use is up to you.

Q: What IP address will the scoring engine be on?
A: The IP address of the scoring engine will change periodically throughout the competition.

Q: Does the scoring engine just check availability of services?
A: No – the scoring engine will be checking functionality as well so it’s not enough to have something “listening” to a specific port. The scoring engine will check to make sure a web server exists and is actually providing content, a mail server actually sends and receives mail, a DNS server responds to queries, etc.

Q: Will DoS attacks be used?
A: We will allow the red team limited use of DoS attacks if it permits a secondary exploitation; however use will be extremely limited. The red team is not there to simply pound on or crash servers.

Q: Will we get copies of the traffic logs?
A: The CCDC will be recording all traffic going through the master switch – this includes traffic to/from the red team. These logs will be made available to all participating teams upon request after the competition.

Q: Will the red team be attacking any of the global resources?
A: No – the red team will not be attacking any of the global resources. They will only be examining team systems.