Online environment intelligent deployment system and method for CTF online competition platform
Technical Field
The invention relates to an online environment intelligent deployment system and method of a CTF online competition platform (OJ platform), belonging to the technical field of information processing.
Background
CTF (capture The flag) Chinese is generally translated into flag-robbing contests, and is a popular information security contest form. The general flow of the method is that a string of character strings or other contents with a certain format is obtained from the competition environment given by the host firstly through the forms of attack and defense confrontation, program analysis and the like among the competition teams, and the string or other contents are submitted to the host, so that scores are captured. For convenience, we refer to such as "Flag". The CTF competition mode mainly comprises three types, namely a problem solving mode, an attack and defense mode and a mixed mode.
Question solving mode (Jeopardy)
In the solving-problem mode CTF competition system, competition teams can participate through the Internet or a field network, and the CTF competition in the mode is similar to an ACM programming competition and an informatics Olympic competition so as to solve the point value and time of network security technology challenge questions for ranking, and the method is generally used for online selecting and playing games. The topics mainly comprise categories such as reverse, vulnerability mining and utilization, Web penetration, passwords, forensics, steganography, safety programming and the like.
Second, Attack and Defense mode (Attack-Defense)
In the attack and defense mode CTF competition system, competition teams mutually attack and defend in a network space, the network service loopholes are excavated, opponent services are attacked to score, and the service loopholes are repaired to defend so as to avoid losing scores. The attack and defense mode CTF competition system can reflect the competition situation through the score in real time, finally directly scores the victory or defeat according to the score, and is a network security competition system with fierce competition, strong appreciation and high transparency. In this system, not only are the intelligence and skill of the players, but also the physical strength (as the competition generally lasts 48 hours or more), and the division of labor and cooperation among the teams.
Third, mixed mode (Mix)
The CTF competition system combining the problem understanding mode and the attack and defense mode can obtain some initial scores by solving problems for a competition team, and then carry out the zero sum game of score increase and decrease through attack and defense countermeasures, and finally score the victory or defeat with the score high or low.
The problem solving mode generally occurs in online competition and various CTF online competition platforms are carried out, the conventional CTF online competition platform adopts a problem and platform loose coupling mechanism, a problem environment needs to be deployed in advance for a problem in a demand environment, problem content is recorded, and a CTF online competition platform is used for guiding a user to access the conventional content and environment for answering in a competition. The method has several main disadvantages, one is that the environment needs to be re-used every time, and the problem cannot be effectively reused, because of the CTF safety problem, a large amount of manual time is needed for verifying and verifying the environment every time the environment is deployed; secondly, the environments visited by contestants in the competition process are the same, and mutual interference exists, so that the CTF question types with interference items cannot be solved on line, and the actual environment cannot be completely simulated.
Disclosure of Invention
The purpose of the invention is as follows: aiming at the problems in the prior art, the invention provides an online environment intelligent deployment system and an intelligent deployment method of a CTF online competition platform, which realize intelligent generation and recovery of a topic environment, improve deployment efficiency and effectively ensure independence of the topic environment and network independence.
The technical scheme is as follows: in order to achieve the purpose, the invention adopts the following technical scheme:
an online environment intelligent deployment system of a CTF online competition platform comprises: the system comprises an online competition platform server, a reverse proxy server, a virtual machine management platform server and a plurality of virtual machines which run a problem environment and are established by a virtual machine management platform; the online competition platform service end, the reverse proxy service end, the virtual machine management platform service end and the online environment virtual machine are communicated through an intranet;
the online competition platform server is provided with an environment generation module and an environment recovery module, wherein the environment generation module is used for issuing an instruction for generating a task environment to the virtual machine management platform server according to an online environment task request of a user, informing the reverse proxy server of configuring a proxy port, and splicing an access address and returning the spliced access address to the user after the environment and the port are ready; the environment recovery module is used for informing the virtual machine management platform server and the reverse proxy server of recovering the environment according to a recovery environment instruction of a user or when the environment needs to be recovered;
the virtual machine management platform server is used for creating a virtual machine running a topic environment according to the topic configuration information; the reverse proxy server is used for performing port proxy, so that a user can access the virtual machine of the theme environment in a public network IP plus port mode.
Preferably, the environment recycling module is provided with an environment running time monitoring unit for judging whether the online environment running time reaches the set automatic recycling time to determine whether the theme environment needs to be automatically recycled.
An online environment intelligent deployment method of a CTF online competition platform comprises an environment generating step and an environment recovering step, wherein the environment generating step comprises the following steps:
(A1) when the online competition platform receives a request for applying for online environment type questions sent by a user, an instruction for generating a question environment is issued to a virtual machine management platform server;
(A2) after receiving the instruction, the virtual machine management platform server downloads the question information, calls an installation script according to the question configuration information to generate a question environment, and feeds back ready information to the online competition platform;
(A3) the online competition platform receives the information that the environment of the virtual machine management platform server side is ready and informs the reverse proxy server side of configuring a proxy port;
(A4) the reverse proxy server configures a proxy port and feeds back the proxy port to the online competition platform;
(A5) after receiving the agent port, the online competition platform splices the access address and returns the access address to the user;
the recycling environment step includes:
(B1) when the online competition platform receives a recovery environment instruction sent by a user or actively finds that the environment needs to be recovered, the online competition platform informs a virtual machine management platform server end of recovering the topic environment and informs a reverse proxy server end of recovering a proxy port;
(B2) the virtual machine management platform server side recovers the question environment, and the reverse proxy server side recovers the proxy port.
Preferably, in the step of recycling the environment, the online competition platform determines whether the topic environment needs to be automatically recycled by judging whether the running time of the online environment reaches the set automatic recycling time.
Preferably, the automatic recovery time may be extended according to a delay application issued by a user.
Has the advantages that: compared with the prior art, the method improves the deployment efficiency through intelligent deployment, the questions can be freely reused, and the pure and non-interference of the initial environment of the questions is ensured.
Drawings
Fig. 1 is a schematic diagram of an online environment intelligent deployment system according to an embodiment of the present invention.
FIG. 2 is a flow chart of a topic environment generation and recovery method according to an embodiment of the present invention.
Detailed Description
The present invention is further illustrated by the following examples, which are intended to be purely exemplary and are not intended to limit the scope of the invention, as various equivalent modifications of the invention will occur to those skilled in the art upon reading the present disclosure and fall within the scope of the appended claims.
There are many types of CTF topics, which can be generally categorized into three types: the method mainly realizes real-time intelligent deployment of the online environment type topics. As shown in fig. 1, an online environment intelligent deployment system of a CTF online competition platform disclosed in the embodiment of the present invention mainly includes: the system comprises an online competition platform server, a reverse proxy server, a virtual machine management platform server and a plurality of virtual machines which are created by a virtual machine management platform and run a topic environment. The reverse proxy server is provided with a public network IP and is accessed to a public network environment, and the online competition platform server, the reverse proxy server, the virtual machine management platform server and the online environment virtual machine are provided with an intranet IP and are communicated through an intranet. The online competition platform server can select to configure a public network IP or access the public network through a reverse proxy server.
The online competition platform server is provided with an environment generation module and an environment recovery module, wherein the environment generation module is used for issuing an instruction for generating a task environment to the virtual machine management platform server according to an online environment task request of a user, informing the reverse proxy server of configuring a proxy port, and splicing an access address and returning the spliced access address to the user after the environment and the port are ready; the environment recovery module is used for informing the virtual machine management platform server and the reverse proxy server of recovering the environment according to a recovery environment instruction of a user or when the environment needs to be recovered.
And the virtual machine management platform server is used for creating a virtual machine running the topic environment according to the topic configuration information. The reverse proxy server is used for carrying out port proxy so as to access the virtual machine of the theme environment in a public network IP plus port mode.
In specific application, an OpenStack virtual machine management platform and an Nginx reverse proxy server can be adopted, and compared with a traditional CTF online competition platform, the scheme of the embodiment mainly has the following characteristics:
1. real-time environment deployment and intelligent recovery
The method can adopt a latest OpenStack virtualization scheme, when a user requests a topic environment, according to user information and topic configuration, a topic configuration file mainly comprises a topic source file, a topic installation script, a flag receiving script related to the user information, a monitoring port list and the like, a corresponding virtual machine template is dynamically virtualized in a background, an initialized installation script of the topic is called, a brand new independent environment is generated, and operation interference caused by access of different users to the same environment is completely avoided. And the configuration information of the user and the environment is stored in a database, so that the user can access the independent topic environment at any time before the environment is recycled. In the actual use process, it is also considered that the user may forget to actively turn off the environment for various reasons, and the long-term operation of one topic environment necessarily affects the performance and experience of the service. Therefore, the automatic recovery time of the environment is designed, and the user can delay and prolong the survival time of the environment through online application.
2. Isolation from intranet during deployment of vulnerability environment
Because the problem is preset with available bugs, a hacker can easily break the virtual machine of the problem environment, and therefore the network where the virtual machine is located must be completely isolated from other networks, so that the instant hacker invades the problem virtual machine and still cannot break through the isolation of the network layer, and the normal operation of the network cannot be influenced.
3. Access of multiple environments under limited public network ip
In OpenStack, dhcp must be an independent ip, if other networks outside OpenStack can access, flow _ ip (dynamic ip) must be configured, and public network address (if the internal network is connectable, the dynamic address is an internal network address), but because public network address is expensive and the public network ip is limited, an independent ip cannot be configured for each virtual machine, a port for using a topic configured in the topic needs to be proxied, and in the internal network, one Nginx is adopted to configure the public network address as a preposed virtual machine, and the topic port is proxied, so that different topics can be accessed by accessing different ports of the preposed virtual machine. According to the number of public network IPs, the online competition platform Server (namely OJ platform) can be selected to be used as a reverse proxy through the Nginx-Server.
As shown in fig. 2, an online environment intelligent deployment method for a CTF online competition platform disclosed in the embodiment of the present invention mainly includes:
1. and issuing an instruction for generating the title by the user through the OJ platform.
And 2, issuing an instruction for generating the topic environment to the OpenStack-Server by the OJ platform.
And 3, the OpenStack-Server receives the instruction, downloads the corresponding configuration of the questions according to the instruction requirement, sequentially calls the installation scripts to generate the question environment according to the question configuration, and feeds back ready information to the OJ platform.
And 4, the OJ platform receives the ready information of the OpenStack-Server environment and informs the Nginx-Server of the port information according to the monitoring port list configured by the title.
And 5, the Nginx-Server receives the port needing to be proxied, reads the local available port and configures proxy information, and feeds the information back to the OJ platform.
And 6, the OJ platform receives the proxy port and splices the address to return to the user.
7. And after the environment generation is finished, the user accesses the topic online environment through the acquired access address.
The main steps of the recovery environment are as follows:
8. the user retrieves instructions of the environment through the underside of the OJ platform. The OJ platform may also actively initiate environment reclamation by determining whether reclamation is needed based on environment survival time.
And 9, the OJ platform informs the OpenStack-Server of a recovery environment.
The OJ platform notifies the Nginx-Server to reclaim the proxy port.
After the environment is recovered, if the user accesses the environment again, the topic environment is regenerated.
The embodiment of the invention uses the latest OpenStack virtualization technology to intelligently deploy the topic environment in real time, deploys the Nginx reverse proxy to access the topic environment on the limited public network address machine, and configures the independent topic environment network, thereby ensuring the accessibility of the environment, isolating the environment and ensuring the safety of other properties.