How to host a CTF event | VULNCON 2020 CTF | International CTF Infrastructure Management

Host CTF for Free

VULNCON 2020 CTF Home Page
vulncon 2020 challenge page

Top Teams

What is a CTF?

A CTF is a hacking competition. The participants compete for the highest score, by hacking intentionally vulnerable apps. It’s a great deal of fun competing, but how does one host a CTF? This is the story of how I’ve been doing it.

Creating the CTF Event

Having previously created CTF events, I consider myself to be adept at what it takes to host an effective event. CTF contests can help train participants by teaching them to think like a bad actor. The premise is that people retain the most knowledge by doing rather than listening. As a result, when competitors approach challenges with malicious intent, they are much more aware of what they need to consider in their own applications.


  • Stats
  • Platform Infrastructure
  • CTFd Setup
  • Issues We faced
  • Detailed insights of server Status
  • User Feedback of CTF
  • Conclusion


user statics

Statistics by Cloudflare

web traffic by cloudflare
unique visitor
top countries

Platform Infrastructure

We have mainly used Google Cloud Services, there is no special reason for this choice but I was more familiar with GCP and every member in our team had free 300$ credits in google cloud(xD). But to be in safe side, we took sponsorship from google cloud.


  • Ubuntu Server 18.04 LTS with 12 cores and 16 GB RAM for CTFd instance.(Location: Singapore, Asia)
  • Ubuntu Server 18.04 LTS with 2 cores and 8 GB RAM for back-up of CTFd in case of any down time.( Glad to say that there was no downtime of the CTFd during the CTF)
  • 3*Ubuntu Server 20.04 LTS with 2 core and 2GB RAM for easy PWN challenges (Region: Europe)
  • 2 *Ubuntu Server 20.04 LTS with 4 cores and 2GB RAM for PWN challenges which requires high CPU and includes Bruteforcing.(Region: Europe)
  • 6*Ubuntu Server 20.04 LTS with 2 cores and 2GB RAM for web challenges. (We created seperate instance for web challenges) (Region: Asia)
web challenge instances
web challenge instances
pwn challenge instances
pwn challenge instances

Platform we used

In VULNCON 2020, we have used most popular CTF framework known as CTFd. It is an open-source platform used by many CTF events. CTFd is available as a container based application on Github. It’s easy to use, and has a featureful admin panel that shows useful statistics during the CTF, and also allows you to perform common user/team management tasks.

CTFd Setup on your Server

There are three way to deploy CTFd to host any CTF

  1. You can clone the repo of CTFd and install all the dependencies manually using pip. After that configure the MySQL and Redis Database manually which is tendious task to do.
  2. You can use the docker-compose.yml file present on the CTFd repo to conveniently deploy each component on your server in separate containers.

Some extra tips to configure CTFd:

  • Rate limiting requests on the server, to mitigate flag brute-force or DDOS attacks.
  • A firewall to only allow connections on some ports.
  • Logging requests correctly to trace back illegitimate activity( Very usefull to track user activity)

Setting up rate limit, Nginx and Firewall

Nginx is a reverse proxy server, i.e, its job is to accept incoming connections to your server, and route them to another server running on a machine. We will be setting up Nginx and configuring it to do the following things:

  1. If you’re using Cloudflare, we’ll also reconfigure Nginx to correctly log the original user’s IP address, instead of logging only Cloudflare IPs in Nginx logs.
limit_req_zone  $http_cf_connecting_ip zone=mylimit:10m rate=10r/s;
limit_conn_zone $http_cf_connecting_ip zone=addr:10m;
server {
limit_req zone=mylimit burst=15;
limit_conn addr 10;
limit_req_status 429;
client_max_body_size 8M;
location / {
proxy_pass http://localhost:8000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
Rate Limit
Rate Limit
Rate Limit is implemented Properly
Users IP


I used Cloud Flare as our DNS manager, CDN and for DDOS protection. More over its free!


Mail Server

Now everything is set up. So it’s time to add Email verification for users to prevent from spams. I was too lazy to configure mail server so I used mailgun as it is very easy to setup. Just add the records as they say and add the API key to CTFd. Done!

Issues we faced

All the quotas available in GCP were exhausted

Since we have started the registration one month ago, so I kept our main instance of CTFd running with 2 cores only. But just a day before of CTF starts, I tries to increase the cores to 12 but unfortunately I got an error saying “You’ve exceed maximum CPU limit.” At this point of time, we cannot ask google to increase our quotas as it takes a week for them to verify all the stuffs. After discussing this issue with Anas Jamal a.k.a White_Wolf, he give a quick solution is to create another project. In new project, all the CPU limit set to default and again we got 12 cores. This was a quick fix :)

Site was a bit slow at the starting

When the CTF starts i.e at 4 PM IST, we noticed a heavy load on our platform which makes the CTF a bit slow and gives 500 error which last only for 2–3 seconds. At the starting, I kept the gunicorn workers to12 but after 5 minutes of the starting of CTF, I realized that it was due to less number of workers. So I increased it to 20 and now everything works smooth.

Some Detailed Insights of Server Status

CPU Usage Pattern of main CTFd Instance

cpu usage of CTfd
cpu usage of CTfd
Main Instace of CTFd

CPU usage of SQL based web challenge

web graph
web graph
Web SQL based challenge

Insights of PWN challenges server

Easy Pwn Challenge Server
Requires Bruteforcing


We have received very positive feedback from Teams.



So this was an insight on how we used our resources to host a CTF on an international scale for free. I hope this arcticle will help you to choose correct resources and scalability for your CTF. We liked the response we got on this year’s CTF and we hope we will get noticed by more teams for the next year’s CTF.