How to host a CTF event | VULNCON 2020 CTF | International CTF Infrastructure Management

Host CTF for Free

VULNCON 2020 CTF Home Page
vulncon 2020 challenge page

Top Teams

What is a CTF?

Creating the CTF Event


  • Stats
  • Platform Infrastructure
  • CTFd Setup
  • Issues We faced
  • Detailed insights of server Status
  • User Feedback of CTF
  • Conclusion


user statics

Statistics by Cloudflare

web traffic by cloudflare
unique visitor
top countries

Platform Infrastructure


  • Ubuntu Server 18.04 LTS with 12 cores and 16 GB RAM for CTFd instance.(Location: Singapore, Asia)
  • Ubuntu Server 18.04 LTS with 2 cores and 8 GB RAM for back-up of CTFd in case of any down time.( Glad to say that there was no downtime of the CTFd during the CTF)
  • 3*Ubuntu Server 20.04 LTS with 2 core and 2GB RAM for easy PWN challenges (Region: Europe)
  • 2 *Ubuntu Server 20.04 LTS with 4 cores and 2GB RAM for PWN challenges which requires high CPU and includes Bruteforcing.(Region: Europe)
  • 6*Ubuntu Server 20.04 LTS with 2 cores and 2GB RAM for web challenges. (We created seperate instance for web challenges) (Region: Asia)
web challenge instances
pwn challenge instances

Platform we used

CTFd Setup on your Server

  1. Pay to the developers of CTFd and they will manage all the infrastructure related stuffs.
  2. You can clone the repo of CTFd and install all the dependencies manually using pip. After that configure the MySQL and Redis Database manually which is tendious task to do.
  3. You can use the docker-compose.yml file present on the CTFd repo to conveniently deploy each component on your server in separate containers.

Some extra tips to configure CTFd:

  • Rate limiting requests on the server, to mitigate flag brute-force or DDOS attacks.
  • A firewall to only allow connections on some ports.
  • Logging requests correctly to trace back illegitimate activity( Very usefull to track user activity)

Setting up rate limit, Nginx and Firewall

  1. We’ll set up rate limiting to limit both the no of requests per second to CTFd and also the maximum no of simultaneous connections from a single host to prevent DDOS or bruteforce.
  2. If you’re using Cloudflare, we’ll also reconfigure Nginx to correctly log the original user’s IP address, instead of logging only Cloudflare IPs in Nginx logs.
limit_req_zone  $http_cf_connecting_ip zone=mylimit:10m rate=10r/s;
limit_conn_zone $http_cf_connecting_ip zone=addr:10m;
server {
limit_req zone=mylimit burst=15;
limit_conn addr 10;
limit_req_status 429;
client_max_body_size 8M;
location / {
proxy_pass http://localhost:8000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
Rate Limit
Rate Limit is implemented Properly
Users IP



Mail Server

Issues we faced

All the quotas available in GCP were exhausted

Site was a bit slow at the starting

Some Detailed Insights of Server Status

cpu usage of CTfd
Main Instace of CTFd

CPU usage of SQL based web challenge

web graph
Web SQL based challenge

Insights of PWN challenges server

Easy Pwn Challenge Server
Requires Bruteforcing






Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store