This is a contest of attack and defense. The contest begins at 8AM on April 21
and ends in the evening of April 23. Prizes for winners: $150 for 1st place
(as measured by number of points), $100 for second place, $50 for third place.
It is OK for groups to form and work together to trade for resources so as to
be able to build weapons, vehicles, and computers or to manipulate the market
value of raw materials and finished products.
You grade depends on both the outcome of the contest and a final report. The
weighting is 25% contest, 75% final report. See below for specifics.
The final report is due 11:59PM, May 1 (OK, if you are a little late and I
have some other reports to read I will still accept it).
I assume you are running the Client in a VM to avoid damage to your host OS.
Rules of Engagement:
- It is not OK to attempt to break out of the VPN network. That is,
team members should stick to poking IP address 10.8.0.XX where XX is a
number from 50 to 99.
- If a VM is compromised (that is, password is discovered and opposing
team can enter the VM and become root) it is not OK to attempt to open
a connection to UC's network from the compromised VM.
- It is OK to attack during the contest only.
- Recovery using a snapshot violates the spirit of the contest
but if you must, please ask permission from me first.
- It is OK to transfer files between the host OS and the VM but not
between the VM and a UC node.
- Points are deducted from the final score where the final report
indicates an attack that was actually benign traffic or has no mention
of an attack that occurred.
- It is OK to add or remove packages from the VM. For example, you may
want to add some analysis tools and remove some potentially dangerous
packages that are not needed.
- If you do something that is not OK points will be taken away from
your final contest score which is 40% of your grade in the course.
If you have not competed you get no score from the contest contribution.
If your activity in the contest is low, you will get a low score from
the contest portion of the grade. I will not assign a number to what
constitutes low activity to prevent some minimalists from reaching that
number and then leaving the contest. If you are generally active in the
contest, and throughout the contest, you will get a high score even if
you wealth is stolen. But, if your identity has been stolen and you
give up getting it back, then a low score will result for you. To get
your identity back email a request to me and I will send your current
password and cookie to you. It is OK to ask for your password and
cookie a few times. If you are asking for password and cookie regularly
then that will affect the final contest score because it shows you
are doing nothing about having your identity stolen.
Final Report (75%):
The grade for the contest depends mainly on the final report that you
submit. It is OK for several people to submit a report together if they
worked together during the contest. The report should include the following
- Preparation: state the result of any analysis you did before
the contest. Include the following subsections:
- vulnerabilities discovered in the monitor source code.
- vulnerabilities discovered in the client source code.
- vulnerabilities discovered in the contest communication protocol.
- vulnerabilities in the network.
- Attack: state and describe the attacks you made on opponents.
State who the opponents were and the times the attacks were launched.
State whether the attacks were successful. State the outcome of the
attacks: for example, was some client or monitor fooled into
transferring wealth to you or did you steal wealth, or did you cause
an opponent's wealth to disappear from the contest?
- Defense: describe how you prevented attacks from succeeding
(perhaps you used a firewall with specific rules - but there are lots
of other ways). State when attacks took place. State where the attack
came from (ip address). State the outcome of attacks (did you succeed
or did you lose wealth or were you blocked from transferring wealth or
receiving wealth from the monitor?). State the time attacks took place.
- Learned: state what was learned. Was there anything you
discovered during the contest that is worthy of note (restricted to
vulnerabilities). Is there something you would do differently next time
to protect yourself or to attack?