Initial Thoughts
Before you think the title is misleading, this blog is revolving around the Challenge infrastructure for ApoorvCTF 2025, the annual CTF event hosted by the CyberSecurity Club @ IIIT Kottayam, which this year took place from 28th February - 2nd March 2025.
ApoorvCTF was a grand success, we got way more participants than we anticipated! Lets just gloss over the statistics part of ApoorvCTF 2025. This year featured a total of 2300+ users across 1200+ teams with 776 teams submitting atleast 1 flag. Big numbers indeed.
Final Statistics
Final Statistics
Time to get started with the thing you are here for. The Challenge of hosting infra with 0% downtime for 2000 people.
Getting Ready
Lets go back to about a week before ApoorvCTF. It has been decided that me and NotAProton will be taking care of the Challenge Infrastructure & the other leads will take care of CTFd, which was being hosted on college premises.
We decided to split all the challenge infrastructure into 2 parts, chals1.apoorvctf.xyz & chals2.apoorvctf.xyz.
I was in charge of chals1, and under me were the following challenges.
- 3 PWN Challenges
- 3 Crypto challenges
- 2 AI Challenges
- 1 Web Challenge needing 3 containers on docker-compose
Sounds like a lot of work right, and yeah work it was.
So then, where to host?
We still hadnt decided for as to where we will be eventually hosting it. Onsite @ college seemed like a good place, but we were not sure about the amount of participants we would get and whether college network would be able to handle that amount of incoming traffic, so we decided not to go ahead with college infra for challenge hosting (this would turn out to be a very wise decision later on).
We then looked towards Azure. Why Azure you ask? Well, azure has this policy where it gives students under a recognized institution 100 dollars worth Azure Credits to play around it. Whether it would be enough or not, we didnt know. But we decided to go ahead anyways.
My experience with Azure wasnt that star sprangling either. Most I had done on Azure before this was just getting VMs up to host either websites or Git Servers. I did try Mailing servers but never got them to work. So when I picked Azure, I knew this would be the perfect opportunity to learn about the different products Microsoft had to offer and how to use and scale them for high load because no better place to test your infra than in a cybersecurity competition :)
Alright, now how to host?
Like I said, all the experience I had with Azure prior to this was just basic Networking & some playing with Docker on VMs here and there and that was about it. Now, it was time to change that.
FYI: We decided to use a fresh Azure student account with the complete 100 dollars of credits, hoping that it would be enough to last the entire 48 hours or more after the event ends, so we had to capitalize and minimize costs while ensuring 100% uptime for challenges.
So, I started by looking for ways to host Docker Containers on Azure. First thing that popped up were Azure Container Instances.
Sounded like exactly what I needed. LGTM, sign me up! Now, I needed some way to actually host my Docker Images online. Dockerhub was a big nono since it allows for only 1 private image. Ghcr couldve worked, but I decided to host my own Container registry on Azure to make it easy and safe to manage containers in the same Resource Group. And there we had it, the base idea set up.
Networking, but for 2000 people
Now comes the networking part, the part I like the most. I started by getting a public IP from Azure, which was pretty expensive but no other choice. Now comes the big question. Application Gateway vs Azure Load Balancer.
I decided to go with Azure Load Balancer since it was cheaper and could easily handle the load we were expecting (it can apparently handle loads upto 15M+ requests per second) and mapped my newly bought static IP to it and there we had it.
I then made a Virtual Network and a Subnet for the Docker Containers I was about to host. I then started making the containers one by one, building the Docker image locally, pushing it to my ACR and then initializing a container to that image.
I then created separate backend pools on my Load Balancer for each challenge domain and then configured inbound NAT rules to route the traffic to the respective backend pool.
Azure Resource Group
Pre final setup list
What about Docker Compose?
I also had to host a web challenge, which needed 3 docker containers, a frontend, a backend and a mongo database. Unfortunately, K8s clusters on Azure are very expensive so I had to go down the old path of Virtual Machines. I spun up a 4GB RAM, 2 Core Ubuntu VM and got Docker on it and added it to a new subnet (cant have ACI & VMs on the same subnet on Azure for some reason) and then did the same NAT config to get it working.
Final Setup
Final Setup
The Final Day
The day or should I say the night, had finally come. 28th February 2025, 9:00 PM IST. The infra was working as expected, but now it was time for the real test. Would the infra be able to take the load, or will we crumble and ruin the CTF experience for the more than expected 2000 or so people.
The first 10 minutes were the most nervous. Minutes felt like hours and I kept spamming netcat commands from my terminal in hopes for a response from my load balancer. And then, it happened. The first flag was submitted and the response was recieved. The infra was working. Working better than I couldve ever anticipated. It stayed at a solid 100ms response time on average. That too under heavy load of people trying out crypto, PWN & web questions nonstop.
Day 1
Day 1
The statistics for load on each machine just after the CTF started. We can see that the incoming packet count on the Load Balancer shot up to 2M packets and the Load Balancer didnt even have a hiccup.
Day 1-2
Day 1 part 2
We let the infra on for a while, and came back to check up on it at about 1:30 AM in the night, thankfully till then all the tickets were for the challenges and not the challenge infra! The infra was still holding up strong, and we were happy.
Day 1-3
Load balancer handled 2M+ network packets at the peak usage hours and was still giving sub 200ms response times.
Second Wave
Now it was time to focus on the 2nd wave which was on 1st March 9:00 PM IST and its safe to say, the challenge infra handled it like a boss. No hiccups or change in response times was seen and all was good!
Day 2
Day 2 Individual Container Stats
While some challenges were hosted on hosting platforms such as Vercel or Render, the websites hosted on Azure had significantly lower loading times and response times. This was a big win for us.
Load Balancer
Day 2 Load Balancer Stats
Final Thoughts
ApoorvCTF 2025 was a big success and the largest event hosted till now for the Cyber Security Club IIITKottayam ! Challenge infrastructure had almost 0% downtime and 0 hiccups. The Azure makeshift infra held up strong and everyone lived happily ever after :)
Load Balancer
Final Load Balancer Statistics
PS: Never buy DDOS protection on Azure. Almost ruined entire CTF thanks to how expensive it is :D