The 2008 Capture The Flag was held on December 5th, 2008, from 8am to 5pm, PST.

The winner of the competition was team ENOFLAG from the Technical University of Berlin, Germany.

We will soon make available statistics, network traces, challenges solutions, etc. Be patient...



The UCSB International Capture The Flag (also known as the iCTF) is a distributed, wide-area security exercise, whose goal is to test the security skills of the participants.

The Capture The Flag contest is a multi-site, multi-team hacking contest in which a number of teams compete independently against each other.

This edition of the competition, was inspired by the "24" TV series. Each team had to break into a network belonging to a cyber-terrorist organization in order to stop a nuclear bomb from detonating.

Each team was given a separate multi-host network that was their target. The teams had to work through a public web server, a financial web server, and a development network in order to reach the host that controls the bomb and disarm the bomb itself.

The structure of the competition was radically different from the one of the previous iCTFs, where each team was given a virtualized host image (for example, a Linux host and/or a Windows host) that provided a number of services.

The goal of each team was to maintain the set of services available and uncompromised throughout the contest phase. Each team had to attempt to compromise other teams' services. Since all the teams received an identical copy of the virtual host, the task of each team was to find vulnerabilities in their copy of the hosts and possibly fix the vulnerabilities without disrupting the services. At the same time, the teams had to leverage their knowledge about the vulnerabilities they found to compromise the servers run by other teams. Compromising a service allowed a team to bypass the service's security mechanisms and to "capture the flag" associated with the service.

History and Background

The UCSB CTF evolved from a number of previous security "live exercises" that were carried out locally at UCSB. The first wide-area edition of the UCSB CTF was carried out in December 2003. In that CTF, fourteen teams from around the United States competed in a contest to compromise other teams' network services while trying to protect their own services from attacks. The contest included teams from UCSB, North Carolina State University, the Naval Postgraduate School in Monterey, the West Point Academy, Georgia Tech, University of Texas at Austin, and University of Illinois, Urbana-Champaign.

In 2004, the UCSB CTF evolved into an international exercise (hence, the name "iCTF"), which included teams from the United States and Austria, Germany, Italy, and Norway.

In 2005, the UCSB iCTF evolved into an intercontinental exercise, which included 22 teams from North America, South America, Europe and Australia. This was never be attempted before on such a large scale.

In the following years the size of the iCTF kept increasing. In 2008, the UCSB iCTF involved 40 teams and several hundred students, making it the largest live security exercise ever performed on the Internet.

The exercises up to 2007 were loosely based on the DEFCON Capture the Flag contest. Acknowledgments go to the Ghetto Hackers that did such a wonderful (and inspiring) job in organizing the CTF contest at DEFCON and to Kenshoto, who picked up the task of running the CTF and found ways to improve it. Many of the ideas of our iCTF are derived from the DEFCON CTF and the lessons learned by participating to the DEFCON contest.

Those exercises were different from the DEFCON contest because it involves several educational institutions spread across the different continents. The DEFCON contest includes locally connected teams only.

In addition, the DEFCON contest has always involved a limited number of teams. We developed a new network solution that allows a large number of teams to participate. The UCSB CTF is the largest existing live security exercise.

Finally, we use a novel technique, called "blending", to route traffic among the teams that allows for a more realistic experience.

A series of slides describing previous iCTFs can be found here.


To participate to the iCTF, a team has to be associated with an educational institution (e.g., a university or a school).

Each team has to provide the name of a faculty point-of-contact (POC), who is responsible for the ethical behavior of the team. In addition, each site has to provide the name of a deployment POC, who is responsible for the setup of the necessary infrastructure.

The teams must to be composed of graduate and/or undergraduate students only (faculty and deployment POCs are allowed to compete, though). Teams should not be composed of more than 20 people (excluding the POCs). Since there is no real way to enforce this, it is the task of the faculty POC to make sure that the teams do not end up being too large.

No professionals from companies or non-educational institutions are allowed to participate.

If you want to participate, please send a message to the CTF organizer (Giovanni Vigna) with your affiliation, faculty POC, deployment POC, and number of teams. In addition, please provide a name and logo (in PNG format, please) for each team. After that, you will be assigned an IP range and you will provided with additional instructions to connect to the competition router.

The list of current teams is available on the participants page. If you are already listed in the participants page, please take the time to check that the names, affiliation, and email addresses associated with your site are correctly presented.

All the communication regarding the CTF will use the mailing list ctf-participants, accessible at If you are part of the competition and you are not listed as a member of the ctf-participants mailing list, please subscribe to the list. Mail messages to the organizers of the CTF should be sent to

Network setup

The Capture The Flag exercise involves a number of sites (e.g., UCSB, TU Vienna, Georgia Tech). Each site can have one or more independent teams.

Each site has a dedicated Class B, non-routeable set of addresses. Each team at each site has a dedicated class C subnetwork allocated within the address space of the site. For example, UCSB has the 10.2.x.x address space, and two UCSB teams have address spaces 10.2.1.x, 10.2.2.x, respectively.

Each team has a dedicated host, called the team box. Each team box is connected to a central host called the main box. This means that if a site (e.g., TU Vienna) has more than one team participating in the exercise, each team's team box will connect directly to the main box.

The connection between the team boxes and the main box is implemented through GRE tunneling. The team box must be assigned the 1 address within the allocated subnetwork address space. For example, if a team's subnetwork is 10.3.2.x, then the team box must have the address. The address of the main box is

Each team can have any number of hosts in their subnetwork. The only requirement, in addition to having a team box, is that a host, called, the image box is a part of the subnetwork. The image box should have Ubuntu server 7.10 and VMware Player 2.0.2 installed. The image box must be assigned the 2 address within the subnetwork address space. For example, if a team has the 10.4.3.x address space, it has to set the address of the image box to

Each image box has two VMware instances running on it. Each instance represent a (virtual) host within the team's subnet. The first host is called the vulnerable box and it runs the image of the server with the vulnerable services. The second host is called the test box and will be used for the connectivity testing. The vulnerable box and the test box must have the 3 and 4 addresses, respectively. The figure below shows an example of the setup for three teams (A1, A2, and B1) from two sites (A and B).


The team boxes are configured so that all traffic out of each team subnetwork is sent to the main box. This is an important difference with respect to a standard configuration. In a "normal" set up, traffic exchanged between two subnetworks connected to the same site box would not be sent to the main box. In this setup, instead, the traffic must always be forwarded to the main box because the box is configured to collect statistics and keep track of the network usage. For example, suppose that the two hosts and in the figure above want to communicate. In a usual setup the traffic would have been routed through the team boxes only. In the CTF setup, the traffic is routed through the following path: -> (team box) -> (main box) -> (team box) ->

Note that the vulnerable box and the test box are the only hosts in a team's network that have to be reachable from other teams' networks. All the other hosts can be configured to block traffic coming from the outside.


The details about the required setup are contained in the iCTF HowTo.

In the very likely case that problems arise, do not hesitate to contact the CTF Network admin with details about the issue. Useful details include the output of ifconfig, netstat -rn, and iptables -v -L, and your kernel .config.


It is not possible/feasible to list all the rules and the exceptions to rules that apply to the CTF competition. When deciding if an attack/protection technique is fair or not, try to think about the fact that the goal of this exercise in not to determine who is 1337 and who is l4m3r, but, instead, to learn about protecting/attacking a system in a live situation. Try not to focus on "breaking" the scoring system and instead concentrate on developing/deploying effective (and realistic) defense and attack techniques.

Below, you'll find the current list of rules. These may change as more issues are raised by the participants. Also, the organizers have the right to change any rule (as well as the structure of the competition) at any time.

Point of contact

The Capture The Flag (CTF) is organized by Giovanni Vigna, at UCSB.

This is the contact information: