Qualifiers | Building DEF CON CTF

This is part 3 of a series of posts about Building DEF CON Capture the Flag.

Quals, to me, is the most important part of DEF CON CTF: it’s the only game we make that most teams will have any interaction with, and for the teams that do qualify, it’s the best way to prepare them and give them an idea about what the finals are going to be like. We come to a consensus about dates in December, and try to have date announcements out on January 1. Yes, we opened quals registration on April 1 each year on purpose.

Picking April or May for qualifiers is important, for several reasons. 2013, our first year running it, we only knew we were hosting by March, so we picked mid-June like previous organizers. This only gave us a month and a half for finals prep, which just felt like a panic. More importantly, this only gave players traveling from some countries six weeks to go through the US visa process.

Actually building qualifiers is a lot of work! Challenges area a whole post or series of posts on their own, but the important parts are brainstorming ideas for them, making sure they’re solvable by teams, and getting them running stably on infrastructure that will survive the game. Challenges need to be tested by someone coming in with a blank slate on it, and the challenge author needs to make something that can solve it reliably in production.

Estimating difficulty is hard work, so what we found works best is just guessing at an unlock order a few hours before the game starts, and scoring challenges based on how many times they’re solved.

Production operations for challenges is worth thinking about at development time. Challenges as stdio binaries that don’t save any state to disk between connections are good. We built runc images that would be launched by xinetd, and that consistently worked great.

The scoreboard isn’t terribly difficult. There’re lots of Jeopardy-style CTF scoreboards available, running a web application is a turnkey thing, and make sure the database gets backed up (we backed up hourly and before deploys.) Let teams register during the competition and make a public scoreboard (for non-logged-in visitors) available and obvious. Lots of players don’t think to register until the game is actually on, and many players want a link to share how they’re doing with friends, family or coworkers.

We found a lot of value in being in the same place for qualifiers. In 2013 and 2014, we used an office a bunch of the team worked from. 2015 and 2016 we used somebody’s house (and didn’t even trash it). 2017 we rented a party house for the weekend, and it was mostly good. We spent a lot of time in the pool, nobody had to drive home on a heavy drinking night, and it was a great time! Unfortunately, the internet was slow and LTE was jank, but we worked around that.

Qualifiers isn’t an easy game to run per se, but it’s very rewarding, and the lack of constraints for preparation meant that it was usually a pretty smooth experience for us.

Coming Soon:

  • Building Finals

Thanks Matthew Pancia for proofreading and reviewing.