OS X Hacker Challenge is over

In response to this ZDNet article claiming that OS X was ‘hacked under 30 minutes’, Dave Schroeder set up another challenge. 38 hours up. Challenge over. No winner! The problem with the first challenge was they gave out local user accounts to participants (duh!).

• The response has been very strong, and the test has illustrated its point.
• Traffic to the host spiked at over 30 Mbps.
• Most of the traffic, aside from casual web visitors, was web exploit scripts, ssh dictionary attacks, and scanning tools such as Nessus.
• The machine was under intermittent DoS attack. During the two brief periods of denial of service, the host remained up.
• The test machine was a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, had two local accounts, and had ssh and http open with their default configurations.

• There were no successful access attempts during the 38 hour duration of the test period.

Some snippets from today (7 March 2006):

• The site received almost a half a million requests via the web.
• There were over 4000 login attempts via ssh.
• The ipfw log grew at 40MB/hour and contains 6 million events logged.

• More test results and information will be published here at a future date.