We are encouraging questions and comments on the rules and team packets. Please email any questions or comments to info@nationalccdc.org. As questions revolving around the 2007 competition are answered the FAQ below will be updated.

2007 CCDC Team Packet in MS Word can be found here
2006 CCDC Team Packet in MS Word can be found here

Updated on 01/22/2008

1. Student Teams
2. Competition Systems
   
3. Competition Play
   
4. Scoring
   
5. Internet Usage
6. Questions and Disputes
   

1. Student Teams
1. Each team will consist of up to eight (8) members.  Each team member must be a full-time student of the institution the team is representing and must not be currently employed in the IT industry (security operations, network administrator, system administrator, programmer, network operations, help desk, etc.) as a salaried employee or as an hourly employee for more than 20 hours per week.  Team members must qualify as full-time students as defined by the institution they are attending - typically this means the team member must be enrolled in 12 or more semester credit hours for undergraduates and 9 or more semester credit hours for graduate students during the semester the competition is held.
2. Each team may have no more than two (2) graduate students as team members.
3. Each team may have one advisor present at the competition – this may be a faculty/staff member of the institution or a team sponsor.  The advisor may not assist or advise the team during the competition.
4. All team members will wear badges identifying team affiliation at all times during competition hours.
5. Each team will designate a Team Captain for the duration of the competition to act as the team liaison between the competition staff and the teams before and during the competition.
6. If the member of a qualifying team is unable to attend the national competition, that team may substitute another student in their place provided the substitute meets all stated eligibility requirements.
2. Competition Systems
1. Each team will start the competition with identically configured systems.
2. Teams may not remove any computer, printer, or networking device from the competition area.
3. Teams will be provided the overall system architecture, network configuration, and initial set-up prior to the event to permit planning but no detailed information, such as patch levels and application versions, will be provided ahead of time.
4. Teams should not assume any competition system is properly functioning or secure; they are assuming recently hired administrator positions and are assuming responsibility for each of their systems.
5. All teams will be connected to a central router and scoring system.
6. Throughout the competition, Operations and White Team members will occasionally need access to a team’s system(s) for scoring, troubleshooting, etc.  Teams must allow Operations and White Team members access when requested.
7. Teams must not connect any outside devices or peripherals to the competition network.
8. Network traffic generators will be used throughout the competition to generate traffic on each team’s network.  Traffic generators will generate typical user traffic as well as suspicious or potentially malicious traffic from random source IP addresses throughout the competition.
9. Teams must maintain specific services on the “public” IP addresses assigned to their team – for example if a team’s web service is provided to the “world” on 10.10.10.2, the web service must remain available at that IP address throughout the competition.  Moving services from one public IP to another is not permitted however teams are free to NAT addresses inside their team networks. 
10. Teams are not permitted to alter the system names of their assigned systems.
11. Teams are not permitted to remove or alter any labels/stickers that are present on their assigned systems.
12. Teams will have access to a “Restore from Backup” capability that will reset any system to its initial starting configuration.  This service will be performed by the Operations Team and will cost the team 50 points per system recovered.
13. Each team will be provided with a set of install disks for the operating systems and major applications used in the competition network.  These may be used to reload systems, add/remove functionality, reinstall, etc.
14. Systems designated as “user workstations” are to be treated as user workstations and may not be re-tasked for any other purpose by teams.  They must remain user workstations throughout the entire competition unless otherwise directed by an Operations or White Team member or indicated through competition injects.  Teams may not change the operating system on user workstations but are free to patch and secure user workstations.
15. Teams may not modify the hardware configurations of competition systems.  Teams must not open the case of any server, printer, PC, monitor, KVM, router, switch, firewall, or any other piece of equipment used during the competition.  All hardware related questions and issues should be referred to the White Team.
16. In addition to user workstations each network will have one “admin workstation”. Teams are free to modify the operating system and load tools, scripts, or applications on this workstation; however, this administrative workstation may not be used to provide critical services such as SMTP, FTP, HTTP, etc.
17. Servers and networking equipment may be re-tasked or reconfigured as needed.
3. Competition Play
1. The competition will run over a three day period (Friday April 18th to Sunday April 20th).  Registration will occur on Friday April 18th and a mandatory meeting for all team members and faculty sponsors will be held prior to the start of the competition.
2. During the competition team members are forbidden from entering or attempting to enter another team’s competition workspace or room.
3. All requests for items such as software, score checks, system resets, and service requests must be submitted on paper (typed and printed) to the Operations Team.  Requests must clearly show the requesting team, action or item requested, and date/time requested. 
4. Teams must compete without “outside assistance” from non-team members which includes team advisors and sponsors. All private communications (calls, emails, chat, directed emails, forum postings, conversations, requests for assistance, etc) with non-team members including team sponsors that would help the team gain an unfair advantage are not allowed and are grounds for disqualification.
5. No PDAs, memory sticks, CDROMs, electronic media, or other similar electronic devices are allowed in the room during the competition unless specifically authorized by the Operations or White Team in advance.  All cellular calls must be made and received outside of team rooms.  Any violation of these rules will result in disqualification of the team member and a 200 point penalty assigned to the appropriate team.
6. Teams may not bring any computer, tablets, PDA, or wireless device into the competition area.  MP3 players with headphones will be allowed in the competition area provided they are not connected to any system or computer in the competition area.   
7. Printed reference materials (books, magazines, checklists) are permitted in competition areas and teams may bring printed reference materials to the competition.
8. Team sponsors and observers are not competitors and are prohibited from directly assisting any competitor through direct advice, “suggestions”, or hands-on assistance.  Any team sponsor or observers found assisting a team will be asked to leave the competition area for the duration of the competition and a 200 point penalty will be assessed against the team.
9. An unbiased Red Team will probe, scan, and attempt to penetrate or disrupt each team’s daily operations throughout the competition.
10. Team members will not initiate any contact with members of the Red Team during the hours of live competition. Team members are free to talk to Red Team members, Operations staff, White Team members, other competitors, etc. outside of competition hours.
11. On occasion, Operations Team members may escort individuals (VIPs, press, etc) through the competition area including team rooms.
12. Only Operations Team members will be allowed in competition areas outside of competition hours.
13. All individuals involved with the competition will be issued badges which must be worn at all times individuals are in the competition area.
14. Teams are permitted to replace applications and services provided they continue to provide the same content, data, and functionality of the original service.  For example, one mail service may be replaced with another provided the new service still supports standard SMTP commands, supports the same user set, and preserves any pre-existing messages users may have stored in the original service.  Failure to preserve pre-existing data during a service migration will result in a 50 point penalty for each user and service affected.
15. Teams are free to examine their own systems but no offensive activity against other teams, the Operations Team, the White Team, or the Red Team will be tolerated.  This includes port scans, unauthorized connection attempts, vulnerability scans, etc.  Any team performing offensive activity against other teams, the Operations Team, the White Team, the Red Team, or any global asset will be immediately disqualified from the competition.  If there are any questions or concerns during the competition about whether or not specific actions can be considered offensive in nature contact the Operations Team before performing those actions.
16. Each team may change passwords for administrator level and user level accounts.  Any password changes to user accounts must be provided to the White Team with a minimum of 15 minutes advance warning prior to the changes being implemented (unless the password changes are part of a competition tasking).  Failure to notify the White Team of user level password changes can result in service check failures.  Teams are required to provide modified passwords in the electronic format specified.  Please note that the White Team will not error check the provided password changes – they will simply upload the provided changes.
17. Teams are allowed to use active response mechanisms such as TCP resets when responding to suspicious/malicious activity.  Any active mechanisms that interfere with the functionality of the scoring engine or manual scoring checks are exclusively the responsibility of the teams.  Any firewall rule, IDS, IPS, or defensive action that interferes with the functionality of the scoring engine or manual scoring checks are exclusively the responsibility of the teams.
18. The White Team will provide a mechanism to show teams the official status of their critical services during the last scored service check.


4. Scoring
1. Scoring will be based on keeping required services up, controlling/preventing un-authorized access, and completing business tasks that will be provided throughout the competition.  Teams accumulate points by successfully completing injects and maintaining services.  Teams lose points by violating service level agreements, usage of recovery services, and successful penetrations by the Red Team.
2. Scores will be maintained by the White Team, but will not be shared until the end of the competition.  There will be no running totals provided during the competition.  Team standings will be provided at the beginning of day two and three but without specific scores.
3. Any team action that interrupts the scoring system is exclusively the fault of that team and will result in a lower score.  Should any question arise about specific scripts or how they are functioning, the Team Captain should immediately contact the competition officials to address the issue.
4. Any team that tampers with or interferes with the scoring or operations of another team’s systems will be disqualified.
5. Teams are strongly encouraged to provide incident reports for each Red Team incident they detect.  Incident reports can be completed as needed throughout the competition and presented to the White Team for collection.  Incident reports must contain a description of what occurred (including source and destination IP addresses, timelines of activity, passwords cracked, etc), a discussion of what was affected, and a remediation plan.  A thorough incident report that correctly identifies a successful Red Team attack will reduce the Red Team penalty by up to 50 percent – no partial points will be given for incomplete or vague incident reports.
5. Internet Usage
1. Competition systems will have direct access to the Internet for the purposes of research and downloading patches. Internet activity will be monitored and any team member caught viewing inappropriate or unauthorized content will be immediately disqualified from the competition. This includes direct contact with outside sources through AIM/chat/email or any other non-public services. For the purposes of this competition inappropriate content includes pornography or explicit materials, pirated media files or software, sites containing key generators and pirated software, etc.  If there are any questions or concerns during the competition about whether or not specific materials are unauthorized contact the Operations Team immediately.
2. Internet resources such as FAQs, how-to’s, existing forums and responses, and company websites are completely valid for competition use provided there is no fee required to access those resources and access to those resources has not been granted based on a previous purchase or fee. Only resources that could reasonably be available to all teams are permitted. For example, accessing Cisco resources through a CCO account would not be permitted but searching a public Cisco support forum would be permitted.
3. Teams may not use any external, private electronic staging area or FTP site for patches, software, etc. during the competition. All Internet resources used during the competition must be freely available to all other teams.
4. Public sites such as Security Focus or Packetstorm are acceptable. Only public resources that every team could access if they chose to are permitted.
5. No peer to peer or distributed file sharing clients or servers are permitted on competition networks.
6. All network activity that takes place on the competition network may be logged and is subject to release. Competition officials are not responsible for the security of any personal information, including login credentials that competitors place on the competition network.


6. Questions and Dispute
   1. Team captains are encouraged to work with the contest staff to resolve any questions or disputes regarding the rules of the competition or scoring methods before the competition begins.
   2. Protests by any team will be presented by the Team Captain to the competition officials as soon as possible.  The competition officials will be the final arbitrators for any protests or questions arising before, during, or after the competition and rulings by the competition officials are final.
   3. In the event of an individual disqualification, that team member must leave the competition area immediately upon notification of disqualification and must not re-enter the competition area at any time. Disqualified individuals are also ineligible for individual awards or team trophies.
   4. In the event of a team disqualification, the entire team must leave the competition area immediately upon notice of disqualification and is ineligible for any individual or team award.           

Updated on 01/22/2007

1. Are we allowed to use “active” response mechanisms like automatic TCP resets in Snort?
   
2. Will we know when our services are considered to be down?
   
3. Will there be any e-commerce sites or custom applications that require a code review?
   
4. Will the team have available a network connection in the main switch, outside the team's subnet (so we can scan to see what our network looks like from the outside)?
   
5. The rules initially said "open source tools only" but now just say "free."
   
6. Are blank CDs allowed?
   
7. Is this one continuous contest? Or is it 3 separate runs with different scenarios / networks?
   
8. Can we bring our own system or networking device?
   
9. How much documentation is desired by the White Team (for incident reports, for example)? Any specific format?
   
10. How many boxes will actually be there? Will it be set up as in the layout on Page 5?
    
11. What kind of food is allowed in the room?
    
12. What happens if hardware fails during the competition?
    
13. What specific applications and operating systems will we be using again?
    
14. What OS and application disks will you be providing for the teams and what can we bring with us?
    
15. Can the team choose to support the network completely in a UNIX environment or a Windows environment, or must the network be "mixed" Operating Systems?
    
16. So how does this downtime thing work? Is there any penalty for extended downtime?
    
17. Will there be other scanning activity or “noise” on the networks?
    
18. Are you just checking to see if ports are open or will you actually be testing the services?
    
19. Are the central infrastructure items valid red team targets (global DNS, etc…)?
    
20. Can we change passwords?
    
21. Can we bring books/reference materials with us?
    
22. Should we bring pens and paper?
    
23. Are the systems going to be working when we get access to them?
    
24. Will we have a KVM and a single monitor, or will we have a monitor for every machine?
    
25. Will the competition systems be connected to the Internet?
    
26. For the "business tasks"/injects, if our team is able to suggest a more secure alternative that meets the same objective, and doesn't require a CS degree to carry out (ie its easy for a mgmt type), can we substitute that alternative and still receive full credit?
    
27. What IP address will the scoring engine be on?
    
28. Does the scoring engine just check availability of services?
    
29. Will DoS attacks be used?
    
30. Will we get copies of the traffic logs?
    
31. Will the red team be attacking any of the global resources?
32. Will the red team be provided network / system information by the operations team?
    

Q: Are we allowed to use “active” response mechanisms like automatic TCP resets in Snort?
A: Absolutely – that’s up to your team. But bear in mind any issues related to the scoring engine and your team’s use of automatic response mechanisms are your responsibility. In other words, if your response mechanism blocks the activity of the scoring engine you will lose points.

Q: Will we know when our services are considered to be down?
A: The white team will provide a very simple website that shows the status of each of your core services during the last status check. Each team will have their own password-protected page and only the data from the last service check will be shown. Additionally, teams will be notified directly when a SLA violation occurs (see below for more information on SLAs).

Q: Will there be any e-commerce sites or custom applications that require a code review?
A: There will be an e-commerce portal running on a web server with a database backend. It's a semi-standard application but it would be useful to have at least a basic knowledge of HTML and SQL.

Q: Will the team have available a network connection in the main switch, outside the team's subnet (so we can scan to see what our network looks like from the outside)?
A: Unfortunately no, but we will have a web-based port scanner available that will scan back any IP address you visit it from.

Q: "The rules say "free tools only".  Can we use tools from Microsoft or any other vendor (non open source) that are available on their web site for public download?"
A: The intent was to limit the use of commercial tools or the ability of one team to "buy" an advantage by using commercial products, not to limit things to open source tools only. The only tool restrictions are either the tool must be "free" ie open source or available to anyone for download for free (so every team would have a chance to obtain it) or it must have been written by one of the team members (for example, if you had a team member that wrote a really good log parser in Perl).

Q: Are blank CDs allowed?
A: No. We will be providing teams with a limited number of blanks CDs and a USB flash drive for file transfer usage. Teams are not allowed to bring any media into the contest area including personal flash drives, floppies, CDs, DVDs, etc.

Q: Is this one continuous contest? Or is it 3 separate runs with different scenarios / networks?
A: It's one continuous contest broken up over 3 time periods. Final scores will be cumulative for all 3 sessions. There will be different scenarios/events/injects but they will all involve the same network.

Q: Can we bring our own system or networking device?
A: No. Teams may not bring any computer, laptop, external drive, networking device, tablet, PDA, etc… into the competition area. Teams may bring personal MP3 players provided they are not connected to competition systems at any time. Connecting any unauthorized device to the competition network will result in a disqualification of that team.

Q: How much documentation is desired by the White Team (for incident reports, for example)? Any specific format?
A: We're not really requiring a specific format - we want each team to develop their own reporting form/format as they would in a business environment.  At a minimum, incident reports must contain a description of what occurred (including source and destination IP addresses, timelines of activity, passwords cracked, etc), a discussion of what was affected, and a remediation plan.

Q: How many boxes will actually be there? Will it be set up as in the layout on Page 5?
A: Initial network details will be provided in the team packet.

Q: What kind of food is allowed in the room?
A: No drinks or food will be allowed in the team rooms. We will have a break area a short distance from the team rooms where we will provide drinks and snacks to the competitors.

Q: What happens if hardware fails during the competition?
A: That really depends on the failure. We will have some spares, but they are limited. Worst case scenario if one team loses a particular system everyone will lose that same system and we will adjust scoring to compensate.

Q: What specific applications and operating systems will we be using again?
A: While we don't want to spoil things by providing exact versions, we can provide the following list of applications and operating systems that might appear in the competition networks:

Q: What OS and application disks will you be providing for the teams and what can we bring with us?
A: Each team will be provided with the basic operating system install disks that are in the provided environment. For example, if a system is running Windows 2003 in the environment there will be a Windows 2003 install disk available for each team. Any commercial security applications distributed for the competition will also be available on disk for each team. Teams should not bring any software, operating systems, or tools with them to the competition.  Free operating systems, tools, and applications may be downloaded during the competition."

Q: Can the team choose to support the network completely in a UNIX environment or a Windows environment, or must the network be "mixed" Operating Systems?
A: There is no requirement to maintain a "mixed" environment. Teams will be penalized for downtime and lost functionality not OS or application choice but teams must replicate the operational capabilities/functions of the original environment including all existing files, emails, web pages, etc.

Q: So how does this downtime thing work? Is there any penalty for extended downtime?
A: Teams are given points for each successful service check performed. For each failed service check they will receive no points. Each of the services has an attached Service Level Agreement (SLA) so the longer services are “down” or nonfunctional the more serious the situation becomes (as it would in any operational environment). In this competition we will deduct points from a team’s score for extended downtime per the SLA below:

So if your web service is continuously down or unavailable for two hours your team will have a total of 60 points deducted from your score.

Q: Will there be other scanning activity or “noise” on the networks?
A: Yes. Where possible we are trying to simulate “normal” network activity so not all the scanning traffic will be from the red team and not all the email, HTTP, DNS traffic will be from the scoring engine. We will be using traffic generators.

Q: Are you just checking to see if ports are open or will you actually be testing the services?
A: Both. We will check for basic connectivity as well as functionality. For example, if we attempt to deliver an email we may attempt to send it using one user account and then check to ensure it was received by a different user. For web pages, we will be polling and comparing content.

Q: Are the central infrastructure items valid red team targets (global DNS, etc…)?
A: No. The red team will not examine/assess any of the central infrastructure items.

Q: Can we change passwords?
A: Yes, but remember just like the corporate world if you change a user’s password you must notify the user. In this case if you change the password for any user account you must inform the white team prior to any password change and provide the account name, new password, when it is being changed, etc… Failure to notify the white team in a prompt manner could lead to the failure of service checks and a loss of points.

Q: Can we bring books/reference materials with us?
A: Absolutely. Bring any books, handouts, notebooks, etc. that you would feel would be helpful.

Q: Should we bring pens and paper?
A: Yes. Feel free to bring in pens, highlighters, blank notebooks, etc.

Q: Are the systems going to be working when we get access to them?
A: Yes, all the systems will be running and “functional” meaning they will be working and will be responding to the scoring checks – this is an operational network. That does not mean they will all be perfectly configured.

Q: Will we have a KVM and a single monitor, or will we have a monitor for every machine?
A: Some servers will be connected to a KVM but most will have their own monitor.

Q: Will the competition systems be connected to the Internet?
A: Yes and no – the actual team networks will not be directly connected to the Internet. Each team will be able to route out of the central network where they can download software, patches, Google, etc. WARNING All Internet traffic is monitored for rule violations and inappropriate content.

Q: For the "business tasks"/injects, if our team is able to suggest a more secure alternative that meets the same objective, and doesn't require a CS degree to carry out (ie its easy for a mgmt type), can we substitute that alternative and still receive full credit?
A: The business tasks will be similar to business tasks you may receive in a corporate environment – you’ll be asked to provide a service or a function. If you can come up with a better, faster, more secure way of providing that service or function by all means do so. For example, we going to ask you to provide an FTP service with the following files and accounts - how you support that FTP service and what software you use is up to you.

Q: What IP address will the scoring engine be on?
A: The IP address of the scoring engine will change periodically throughout the competition.

Q: Does the scoring engine just check availability of services?
A: No – the scoring engine will be checking functionality as well so it’s not enough to have something “listening” to a specific port. The scoring engine will check to make sure a web server exists and is actually providing the correct content, a mail server actually sends and receives mail, a DNS server responds to queries, etc.

Q: Will DoS attacks be used?
A: We will allow the red team limited use of DoS attacks if it permits a secondary exploitation; however use will be extremely limited.  No network flooding attacks will be used.

Q: Will we get copies of the traffic logs?
A: The National CCDC will be recording all traffic going through the master switch – this includes traffic to/from the red team. These logs will be made available to all participating teams upon request after the competition.

Q: Will the red team be attacking any of the global resources?
A: No – the red team will not be attacking any of the global resources. They will only be examining team systems.

Q: Will the red team be provided network / system information by the operations team?
A: No – the red team will not be provided any network or system information before the competition begins. They will have to examine the systems as an outside attacker with no internal information. Once the red team arrives on site they will be given a set of rules and guidelines, their IP ranges, a list of target subnets, and that's about it.