CTF365 – Points, Scoring System and Rules
At this moment our scoring points is pretty straight and simple:
Deface – 75 points
XSS – 200
SQLi – 500
Private Enumeration – 600
TakeOver – 1000
The idea was to keep it simple for Alpha and Beta where points matter only as User Experience and game design to see it works. When we’ll go live things will be a little bit more different when we’ll talk about points rewards.
For example, our first observation was that before to implement public key first sign in fortresses, many users didn’t change their default user passwords and that’s for the easily got 1000 points at the time. 1000 points for a lazy admin (defeated server) and not for a hard work (to the attacker) which leads to big gaps between top teams and the rest. Another problem, was that while some lucky but sharp Reds (attackers) got their thousands, other Reds, hard working got 75-200 points after 45-60 minutes for Deface or XSS.
No more easy points after we’ll go live.
Our next scoring system will be an algorithm based on a set of inputs with different biases. Some of the inputs will be a combination of multiple factors like Uptime/Downtime, Success Attacks vs Unsuccessful once, Running Services and so on. There will be services checkers coming from different/spoofing IPs to exclude possible blocking blocks IP classes over IP tables and WAFs and some other tricky tricks to trick users tricks. 🙂
The point is that by mimic the real world Internet, servers should act as real ones.
When it comes to CTFs, most of the CTFs have automatic Scoring Servers. Others call it GameServers. Their mission: to receive “flags” send it by users, verify them and approve if are true. Some of them are checkers only some of them are a bit more than checkers.
We have a Scoring System. We name it Scoring System because of its hybrid nature and sophistication. Part automatic, part manual the system incorporate parallel and redundant measures when it comes to monitor, measure and approve scores.
It may sound complicated but when it comes to offer a five stars service training platform to special breads like security professionals and system administrators, nothing is “too much” and everything has to be perfect or at least close to perfection.
The Score Sending Rules
Yes, after over a month in Alpha looks like there must be some rules as well when users over send /spam our scoring system. As I’ve told you, someone supervise everything scoring included and over sending scorings waste our time and others user’s time too.
We’ll introduce some scoring report rules such as:
If a user send us multiple times same score, beside the system will block the second one, that user will receive some warnings followed by penalties and finally game exclusion if it keeps going. Also is considered double (spam) if users send us slightly previous scoring vectors. Who do we try to fool here?
If a user send us different scorings with different vectors but negative/false ones, first we’ll inform him that next time it should double check before submit, followed by delay timing analisys followed by another warning and exclusion finally.
Bellow you have a snapshot of wrong and right scoring submissions
My advice, thing twice before you do it. Ask your mates. They are your “365 familly”, trust them until prove otherwise. After all you teamed up right?
So these are few thoughts, facts and future moves regarding Points, Scoring System and Rules.
Stay secure while having fun. 🙂