1/31

💀

HOPE XVI NOC

We Saw What You Did There

The Network Remembers Everything

August 15-17, 2025

"Trust us, we're professionals" 😏

* Statistics and accuracy of data may be questionable given AI may or may not have been involved in the production of this presentation

2/31

Our "Mission"

🕵️

Providing open, fast, and watched network connectivity

FortiGate in Monitor Mode =
WE SEE YOUR SINS BUT LET THEM HAPPEN

"Your packets are our entertainment" 🍿

3/31

The Real Numbers That Matter

1,699 Devices Connected

104 Countries Connected

200+ Unique ASNs

847 Network Anomalies

4/31

Traffic "Statistics" 📊

2.54 TB

Total Data Transferred (Final Count)

604 GB Internal + 1.94 TB External

Top Traffic Destinations:

Google: 292 GB | Fastly: 159 GB | Apple: 131 GB
Tzulo: 117 GB | Amazon: 114 GB | Cloudflare: 93 GB

3.7 BILLION packets processed 🤯

5/31

Comparing usage at HOPE XVI to DEFCON 33

DEFCON 33 4 days 1 Gbps pipe 13.9 TB total 12K devices

HOPE XVI 3 days 10 Gbps pipe 2.54 TB 1.6K devices

Data per device: 1.6 GB @ HOPE vs 1.2 GB @ DEFCON

8x fewer devices, 1 less day, but MORE consumption per device and 10x the available bandwidth 💪

6/31

The Packet Sniffers

Alex

Chief Packet Wrangler

James

Datacenter Guru

Jesse

BGP Whisperer

+ many volunteers crimping cables, only 2 gave up

Hiding in Tobin 211 (We had FBI sandwiches, donuts, shot glasses & swag waiting for you!)

7/31

The "Secure" Infrastructure

SSID: HOPE16 (aka "HoneyPot16")
Password: hope2025 (cracked in 0.3 seconds)
Security: WPA2-PSK (it's 2025, where's WPA3?)
Core Switch: May have randomly started clicking and throwing errors after a power reset
Security: FortiGate in Monitor Mode 👀
DNS: 172.31.0.10 (definitely not logging queries 😉)

Fun fact: 14 people tried to ARP poison us. Nice try!

8/31

Network Architecture

🐱

I CAN HAZ
INTERNETZ?

10 Gbps of pure, unfiltered connectivity

9/31

The Actual Hardware Stack

Plus painters tape across the ENTIRE campus. No, we're not apologizing.

Don't worry, we're crimping better cables for next year.

10/31

The Nerdy Details You Actually Care About

Uplink: 10 Gbps Cat6A
(We maxed out at 1.2 Gbps)

Core Switch: Cisco 3560-CX
(Started clicking & alarming after UPS outage)

FortiGate 90G:
• Monitor Mode ONLY
• 4.5 Gbps of watching
• 0 Gbps of blocking
"Not saving you from yourselves"

Coverage:
• All campus APs
• Dorms (yes, all of them)
• Wired in Cafeteria & workshops

Monitoring:
• NetFlow analysis
• FortiMonitor
• Our eyeballs 24/7

"Backup":
• UPS (root cause of only outage 🤡)
• Out-of-band via Eero
• Prayer & caffeine

11/31

🤖 The Dashboard Automation Nobody Asked About

How We Kept Stats "Real-Time":

FortiGate Automation Triggers → Webhook to PHP every hour
Auto-parsed: DHCP leases, bandwidth, threats (not blocked)
Monitor Mode: Counted your attacks, didn't stop them
43 unique visitors but many kept refreshing for updates!

🎯 The Technical Flex:

FortiGate → webhook.php → parse data → update JSON → AJAX polls → live charts

Built in 3 hours with Claude AI because who needs sleep? ☕

Hourly updates for 3 days straight | People actually F5'd for traffic stats!

12/31

🚨 Hall of Shame 🚨

⚠️ Y'all Need Something (and a Firewall) ⚠️

🇨🇳 47 devices beaconing to China every 30 seconds
🦠 Tsyndicate hijacker on 172.31.3.218 - if this is your IP, seriously do something about it
🔐 12 people using "password123" for SSH
🤖 Multiple bot infections phoning home constantly
🔍 14 people tried to ARP poison the network

Check your systems. Seriously. You're owned.

13/31

🏆 Hostname Hall of Fame

• Dees-Nuts (welcome back, legend)
• DontWorryAboutIt (we're worried)
• badb0x (l33t h4x0r?)
• ZoneofDestruction (subtle)
• devnull (where packets go to die)
• skiv (minimalist)
• workshop-ayayay (workshop enthusiast!)
• The-Spicy-Pickle (🌶️🥒)
• kungfoo24u (24/7 martial arts?)
• Tourniquet (stop the bleeding)

• mrcrypt (definitely ransomware)
• BEEFTYFOUR (0xBEEF + 54?)
• anonymous (expect us)
• megaframe (big packets only)
• Surveillance-Drone (not suspicious at all)
• holyhandgrenade (count to 3!)
• proof-through-the-night (patriotic hacker)
• Flesh-Eater-2 (what happened to 1?!)
• NSA0192BO (totally not a fed)

🎭 Peak hostname creativity - You magnificent weirdos!

14/31

Awkward Truths

We built a fancy dashboard...

Only 43 people visited

Meanwhile, 1,374 tried to hack it 🤦

Pro tip: It's literally just PHP. Save your 0days.

14/31

🧟 Potentially Unwanted Apps Detected

Viruses Downloaded: 0 (but we're not decrypting TLS, so... 🤷)

🥇 TSyndicate.com - 5 hits on 172.31.3.218
🥈 Sqoutout.com - 2 hits on 172.31.4.69 (nice)
🥉 Optvz.com - 1 hit on 172.31.3.218 (same guy!)
🏆 Clinch.co - 1 hit on 172.31.1.172

172.31.3.218 wins the "Most Infected" award with 6 PUAs! 🏆

15/31

🔐 How You Bypassed Our "Monitoring"

Smart hackers using VPNs to hide from us:

42% Mullvad VPN

22% Apple Private Relay

9% Private Internet Access

7% Google One VPN

ProtonVPN (4%), SurfShark (3%), NordVPN (2%), IVPN (1%)
Others using WireGuard, OpenVPN, DoH: 10%

We respect the paranoia. This is the way.

16/31

⚠️ Export Control Countries Alert ⚠️

Someone's definitely on a list now...

🇨🇳 China: 670 MB (mostly callbacks, totally normal)
🇷🇺 Russia: 269 MB ("security research")
🇸🇦 Saudi Arabia: 351 MB
🇦🇪 UAE: 245 MB
🇵🇰 Pakistan: 133 MB
🇻🇪 Venezuela: 47 MB
🇮🇷 Iran: 20 MB (brave)
🇦🇫 Afghanistan: 723 KB (barely holding on)

NSA has entered the chat 👀

17/31

🚨 Bulletproof Hosting & Suspicious ASNs

308 GB to sketchy providers!

🔴 CRITICAL (You're probably compromised):

THE-HOSTING (AS44477): 2.46 GB - Known bulletproof
NFORCE (AS43350): 1.17 GB - CSAM/Attack host

🟡 HIGH RISK:

TZULO: 113 GB - VPN/Spam haven
MEGA: 18 GB - Ransomware infrastructure
M247: 16 GB - Abuse reports galore

If you connected to these, your box is probably a bot now 🤖

18/31

🔥 847 Network Anomalies

712 UDP Floods

187 WireGuard floods from .141

156 NFS floods from .190

47 ICMP Sweeps

Top Offenders:
🥇 172.31.2.141 - WireGuard psycho (133K packets)
🥈 172.31.1.190 - NFS abuser
🥉 172.31.4.160 - ICMP scanner

10.36 GB of Kerberos traffic? 10.07 GB of ICMP? Y'all wild.

19/31

📢 "External Complaints" (aka Drama)

🤔 UNVERIFIED REPORT

"Someone said we attacked DNS servers"
Our response: "PCAPs or it didn't happen"

Investigation Result:
No evidence found. Probably a false flag. 🙄

We monitored everything. If we did it, we'd know.

"But seriously, stop attacking DNS servers, whoever you are."

20/31

Global "Connectivity" 🌍

🌍

104 Countries Connected

200+ Unique ASNs Reached

From NYC Mesh to Netherlands

21/31

🔮 What Your Traffic Revealed 🔮

🌈 32% still using unencrypted HTTP in 2025
🔓 14 people logging into banks on public WiFi
📞 Someone still uses IRC (respect!)
🤖 3 failed attempts to download "TotallyNotMalware.exe"
🐛 1 person debugging prod with console.log() over HTTP
🎮 5 people playing Doom (the eternal constant)

Remember: TLS is not optional, it's 2025 FFS

22/31

💕 What Hackers Really Care About

Dating Apps:

🥇 Tinder - 50% 📉
🥈 Scruff - 50% 📈

*Perfectly balanced, as all things should be

After Dark:

1. EPorner - 28%
2. FetLife - 25% 📈
3. xHamster - 6%
4. TTCache - 6%
5. FlixCDN - 4%
6. PornHub CDN - 3%
7. BoyfriendTV - 3%
8. Sniffies - 2% 📈

🔥 Hackers: Passionate about security AND insecurity 🔥

23/31

🐷 Bandwidth Hall of Fame

The Data Gluttons of HOPE XVI

🥇 CHAMPION:
172.31.1.149
103 GB
120M packets 📦

🥈 Runner-up:
172.31.2.80
84 GB
71M packets 📦

🥉 Third Place:
172.31.5.222
67 GB
56M packets 📦

4th: 172.31.1.90 - 64 GB
5th: 172.31.7.77 - 56 GB
6th: 172.31.1.27 - 55 GB
7th: 172.31.2.47 - 53 GB
8th: 172.31.1.68 - 47 GB

172.31.1.149: 103 GB?! Were you torrenting the entire Library of Congress? 📚

24/31

Services We "Provided" 😏

✅ High-Speed WiFi (when it worked)
✅ Full IPv4 Support (IPv6 is a myth)
✅ DNS Resolution (to wherever we wanted)
👀 FortiGate Monitor Mode (see evil, allow evil)
🤷 Zero Protection Policy (you're on your own)
📊 Traffic Analytics (for our amusement)
🎮 24/7 Entertainment from Your Packets

25/31

Stuff That Went Wrong (But We Fixed)

1,699 Devices Fighting for IPs

847 "Is this normal?" moments

10min UPS-induced outage 🤡

2 Volunteers quit cable crimping

∞ Coffees Consumed

0 F***s given about IPv6

"Have you tried turning it off and on again?" - The UPS did that for us

26/31

Securing the NOC (From You)

🔒 The NOC Was Protected By:

📹 24/7 Audio/Visual Surveillance
👮 St. John's Public Safety Team
🚪 Locked Doors (Revolutionary!)
☕ Strategic coffee defense

⚠️ Multiple after-hours "visitors" detected

Nice try, but we saw you 📸
(Evidence attached →)

Exhibit A: "Just checking if it's open"

27/31

Network Bandwidth Usage 📊

Wireless (HOPE16)

Peak: 1.2 Gbps

📥 Inbound 📤 Outbound

Wired Network

Peak: 970 Mbps

📥 13.67 Mbps 📤 679 kbps

🎢 Classic conference pattern: Dead → Chaos → Party → Hangover → Ghost town

28/31

Special Thanks to Our Heroes 🏆

🎓 ST. JOHN'S UNIVERSITY 🎓

IT Team & Public Safety

You are the REAL MVPs! Without you, none of this would be possible.

Fortinet

Axcelx

St. John's IT: For the bandwidth, patience, and blind trust
St. John's Public Safety: For protecting us from ourselves
Your support made this chaos possible! ❤️

29/31

What We Actually Accomplished

🎯 99.83% Uptime (10min down out of 100 hours)
📊 Moved 2.54 TB through 3.7 billion packets
🇨🇳 Built a bridge to Beijing (unintentionally)
📡 Became an unwitting C2 relay station
🎆 Discovered many of you need security training
😂 Had way too much fun reading your packets
🤝 Made friends with Tsyndicate (not by choice)

30/31

Network will self-destruct after this message

🔥

Seriously though, CHECK YOUR SYSTEMS

grep -r "Tsyndicate" ~/

Come help us tear down at Tobin 211 after this!
(We still have donuts, shot glasses, and swag!)

Stay paranoid, friends! 👾

- NOC Team: Alex, James & Jesse
P.S. - Change your passwords. All of them. Now.

ENCRYPTED ENCRYPTED ENCRYPTED ENCRYPTED ENCRYPTED ENCRYPTED ENCRYPTED

YOUR FILES ARE GONE YOUR FILES ARE GONE YOUR FILES ARE GONE YOUR FILES ARE GONE

NO ESCAPE NO ESCAPE NO ESCAPE NO ESCAPE NO ESCAPE NO ESCAPE NO ESCAPE

WE SEE EVERYTHING WE SEE EVERYTHING WE SEE EVERYTHING WE SEE EVERYTHING

172.31.3.218 INFECTED 172.31.3.218 INFECTED 172.31.3.218 INFECTED

TSYNDICATE TSYNDICATE TSYNDICATE TSYNDICATE TSYNDICATE TSYNDICATE

☠️

SYSTEM COMPROMISED

ALL YOUR NETWORKS ARE BELONG TO US

🔒 YOUR DATA HAS BEEN ENCRYPTED 🔒

2.54 TB EXFILTRATED | 1,699 DEVICES PWNED | 847 VULNERABILITIES EXPLOITED

⚠️ DO NOT ATTEMPT TO RECOVER ⚠️

DO NOT SHUT DOWN YOUR COMPUTER

DO NOT CALL LAW ENFORCEMENT

DO NOT TRY TO DECRYPT FILES

TO DECRYPT YOUR NETWORK:

1. IMPLEMENT IPv6 WITHIN 24 HOURS
2. REMOVE ALL WINDOWS XP MACHINES
3. STOP USING TELNET IMMEDIATELY
4. RUN: grep -r "Tsyndicate" / --now

TIME REMAINING: 23:59:59

HOPE XVI NOC :: TERMINATED