CTF site

Organising a CTF

I was recently asked some general questions about what it is like to organize a CTF contest. The questions are quoted unedited and typeset bold; my answers are typeset in a normal font (i.e., unbold). If something's unclear or missing, feel free to send me an email.

What do you think the hardest thing in doing your own CTF?

That depends on a lot of things. If you have

  • a) support from your university/company;
  • b) sufficient hardware and bandwidth;
  • c) motivated and skilled people willing to help with the organisation

you are in a good position to organise a CTF, and will be able to concentrate on important things. Usually, at most two of these three criteria are met.

What kind of problems new organizers of CTF should be aware of or expect to happen?

In my case, service authors often didn't meet their deadlines. When they did, they had sometimes produced useless code (hence my texts about writing CTF services and writing good CTF services - every mistake I've described there has actually been made).

CTFs hosted at universities are a lot easier to do than CTFs hosted at conferences. Usually, the conference organisers do not understand hosting a CTF requires a lot of resources, and a dedicated room for the CTF organisers to concentrate and think. The one notable exception was Hacking at Random.

Also, during the CTF, things may go wrong, and you'll have to deal with ~20-30 teams, while trying to isolate and fix the problem.

Somethimes there's a lot of politics involved. That distracts you from the organisation.

What kind of hardware and software did you use? Any commercial products?

Ordinary consumer hardware, mostly x86 compatible stuff or the 64 bit counterparts. Routing was done also on normal consumer hardware.

As for software, there's openvpn, which is used for managing the network. The gameserver that manages the game is available on this website. However, if I had to implement the gameserver again, there'd probably be a lot of erlang involved. Erlang just plain rocks.

How complex was your overall technical setup?

The network setup is quite complicated because we did SNAT so as to prevent certain kinds of cheating. SNAT is not particularly hard to do if you know how to do it. The same holds for getting openvpn to enforce subnets. Finding someone capable of setting these things up proved to be pretty hard.

The most complicated setup we did so far was at the 25th Chaos Communication Congress, where remote teams connected via openvpn, while local teams were assigned vlans in the building. Vlans were assigned and routed on the fly, whenever a team decided to join. We had to pay extra special attention to the network setup there, so as not to disturb the whole conference network.

How fast was your network speed? What was an approximate network load and how much bandwidth was used during competition?

100MBit was the bandwidth used on our side - for most of the time, much less is required, but it can save you from DoS-attacks (intentional or otherwise). Of course, Gigabit is even better if you expect DoS-attacks, which has been available once only in our case, however.

This may sound strange; we never had time to do detailed analysis on this unarguably very interesting topic. (And never quite the hardware capable of logging all traffic between teams* in a reliable way (reliable as in "the router must. not. die.")) I sincerely regret this and hope that in the future we will find a way to remedy this situation.

* The traffic we're talking about here is strictly related to the gameplay; i.e., you can see which team did which attack/which cheat at which time. Teams do not converse/exchange private data over the CTF network.

How many people worked on Capture the Flag (organization, services & task preparation etc.)

The core orga team consists of 1-2 people, then there's the service authors. Usually, you have one person per service.

What was you major item of expenses (organization, software, hardware, people, other) ?


Approximate cost of your CTF (if possible).

Many hours spent organizing the CTF. Aside from that, hardware costs (high grade consumer hardware), power consumtion (reasonably low) and network access (quite expensive) (usually paid for by the sponsoring university or conference)

How many companies are willing to actively participate as sponsors? Is it easy to find them?

I have never looked for any commercial sponsoring. That doesn't mean I am against commercial sponsoring; there just has never been any time left to deal with it.

Feel free to write something else that you think is important.

I will have to smoke some three pipes over that one. :)