BruCON 0x06 Network Review

Network AccessOnce again, here is my quick review about the BruCON network that we deployed for our beloved attendees! Yes, we are glad to take care of your packets during the conference. Nothing changed since the last edition, we deployed the same network in the same venue with the same controls in place. But this year, the biggest change was our brand new wall of sheep…

Let’s start with some stats! Our Internet bandwidth was the same as last year: a 100Mbits wireless link. This is was enough as we had peaks up to 80 Mbits of traffic. Hélas, our partner which provides the Internet pipe is still not ready to deliver IPv6.

Traffic Overview
(Click to enlarge)

We provide two networks: a “public” for the visitors and a “private” one for the crew, the speakers which is not sniffed. The Wi-Fi network is the most used but more and more people decided to stick to 3G/4G connectivity to avoid connecting to the wild network. We detected 334 unique MAC addresses which requested an IP address during the conference. The split across the different client types is shown below.

(Click to enlarge)
(Click to enlarge)
(Click to enlarge)
(Click to enlarge)
(Click to enlarge)
(Click to enlarge)

About the applications used, HTTP remains in first position, not a surprise. If HTTP remains the top protocol, SSL & OpenVPN came in 2nd and 3rd position. This means that people also tend to use encrypted communications.

(click to enlarge)
(click to enlarge)

DNS is always a goldmine.  Here is a top-20 of requests that we captured (based on DNS traffic, whatever DNS servers were used!). To clean up the mess, I removed the PTR requests.

Count Query
28847 google
25334 a.t
19089 google.com
11895 wpad
9113 t.co
5738 brucon
5487 brucon.org
4917 apple.com
4102 ey.net
3956 pentesteracademy
3733 appspot.l.google.com
3697 pentesteracademylab.appspot.com
3434 printer
3314 facebook.com
3158 amazon.com
2773 images.amazon.com
2752 ecx.images-amazon.com
2730 twitter.com
2520 ssl
2422 clients.l.google.com

Personnally, next year, I’d like to create some honeypots to redirect the traffic to hosts like “wpad” (Web Proxy Autodiscovery Protocol) or “printer” ;-). We provided a DNS server via DHCP but many people have fixed DNS servers configured. Funny, lot of them where RFC1918 IP addresses not used on the BruCON network. Corporate servers?

Count DNS Server
131815 10.4.0.1 (BruCON official DNS)
73294 224.0.0.251
32559 ff02::fb
14887 224.0.0.252
13939 ff02::1:3
6544 8.8.8.8 (Google)
2294 172.246.84.42
883 8.8.4.4 (Google)
565 86.39.202.67
500 208.67.222.222 (OpenDNS)

We detected network flows with ~25K unique hosts over the world. Mainly to the Europe and United States.

Connections Map
(Click to enlarge)

It’s also interesting to search for errors or “weird” traffic. Here is the top-20 of problems/suspicious traffic detected by Bro:

Count> Suspicious Behavior
7891 dns_unmatched_msg
3578 dns_unmatched_reply
1607 data_before_established
1456 unmatched_HTTP_reply
1342 possible_split_routing
1017 unescaped_special_URI_char
1015 window_recision
884 line_terminated_with_single_CR
811 above_hole_data_without_any_acks
734 TCP_ack_underflow_or_misorder
453 unknown_packet_type
350 dns_unmatched_msg_quantity
294 DNS_Conn_count_too_large
284 TCP_seq_underflow_or_misorder
270 unknown_protocol_2
210 zero_length_ICMPv6_ND_option
178 non_ip_packet_in_egre
177 bad_HTTP_request
173 connection_originator_SYN_ack
169 inflate_failed

We also provider a Tor SOCKS proxy to the visitors but it was not eavily used… Maybe promote it more next year? But the brand new wall of sheep was a great success. It is a modified version of Dofler and offers the following features:

  • Display pictures on-the-fly
  • Capture credentials from clear-text protocols
  • Scan for vulnerable hosts on the network (via PVS)
  • Display a graph of protocols usage
(Click to enlarge)
(Click to enlarge)

Displaying pictures on the fly is dangerous when hackers will be the primary target. That’s why I implemented a skin-color detection filter to prevent most of the p0rn images to be displayed on the wall-of-sheep. Of course, it became quickly a new game for some attendees who tried to display all kind of (not only p0rn) pictures. Most of the time they succeeded but the filter was working quite well nevertheless. Check the two following impressive numbers:

  • 80.838 pictures were captured over the three days
  • 18.052 pictures were detected as “p0rn”

About the captured accounts, even if people are more aware and are trying to protect themselves, we collected 242 accounts:

  • POP3
  • IMAP
  • HTTP
  • FTP
  • IRC
  • NNTP

That’s all for my wrap-up!

4 comments

  1. That’s interresting, thank you for the report. Is the code for the skin detection is public somewhere ?

  2. Images are extracted on the fly from TCP flows… There is not relation between the images & URLS.
    On the todolist: when an image is extracted, capture also the source IP address and blacklist it if the image is detected as p0rn.

    /x

  3. You might want to harden that filter. By simply visiting a p0rn site (which wasn’t blocked because the word wasn’t in the url), I managed to get quite some of those on the wall. Followed by ofcourse come hentai from a Google img search and the “All your base are belong to us” classic 😉
    BTW: It also became a game to get some of your own (fake) credentials in the list 😛

Leave a Reply

Your email address will not be published. Required fields are marked *