How to run a CTF that survives the first 5 minutes

THE INFRASTRUCTURE CHALLENGE

  1. CTF Hosting Platform (CTFd)
  2. Challenge Servers
  3. Cloud Based Challenges
  • The CTF Platform CTFd was hosted on App Engine (epic)
  • The challenges were hosted on a Kubernetes Cluster with 3 nodes with each challenge created as a Daemon👿Set so we would have 3x replicas, routed by HAProxy with IP pinning enabled so we could kinda have stateful challenges🐵.
  • Cloud Challenges hosted on Cloud (wow nice could of guessed that one✅)
DUCTF 2020 Players be like

TRULY SCALABLE CTF CHALLENGE INFRASTRUCTURE

⚡TIME TO GET TECHNICAL⚡

Routing to Challenges:

Time to Scale!

  • Isolated Pre-emptive Node Pool
  • Isolated Standard Node Pool
  • Pre-emptive Node Pool
  • Standard Node Pool
big brain 🧠

ISOLATED CHALLENGES

From HackTheBox.eu

The Challenge Manager

  • GET — Finds the relevant deployment of a challenge for a team and returns the details
  • CREATE — Creates a new Deployment for a team
  • DELETE — uhhhhhhhhhhhhh, surely you can get this 😉
Isolated Challenge Setup
500 isolated challenge containers (30 shown) during load test

SO INRFA WAS PERFECT?

HEADPHONE WARNING ❗❗❗ Credit: dLAN
Individual Node Usage throughout the event, can you tell when people were dirbustin’

IMPROVEMENT NOTES

  • Create an Automated CI/CD Pipeline for challenges and CTFd (no more testing in Prod)
  • Have a test instance of CTFd running to verify any changes we make before we push them to prod.
  • Increase DDOS and Dirbuster protection, we had some players scanning the infrastructure which were promptly banned, but we would like to automate this.
  • Have automated solve script health checks on each challenge which run’s periodically so we can verify each challenge is working and alert us if it isn’t
  • Consider alternatives for the CTF platform other than CTFd like rCTF.

CLOSING THOUGHTS

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sam Calamos

Sam Calamos

I write a yearly blog about DUCTF and then pretend that I will write more throughout the year.