Formats
There are multiple popular game formats for organizing cyber-security competitions, such as Jeopardy, Attack-Defense (also known as AD or RvB), King of the Hill (KOTH) etc. Traboda Arena supports setting it to Jeopardy, Attack-Defense, and King of the Hill game format.
Jeopardy
Jeopardy style (often referred to as Jeopardy CTF) is the most popular cyber game format. In this format, participants are presented with a number of challenges across a variety of cyber-security categories (or topics). Participants need to solve these challenges to earn points. The team with the most points at the end of the competition wins.
While challenges may be released in sets or different times, once released they are available to all participants to solve in any order. A single challenge may be solved by multiple teams, and a single team may solve multiple challenges.
A single challenge may contain more than one solution (such as a flag, or answer etc.) and each solution may be worth different points. For example, a challenge may have a flag worth 100 points, another flag worth 200 points, and thus total 300 points. A team may solve the challenge partially by submitting the 100 point flag, and then may also submit the 200 point flag to then complete solving the challenge, and thus earn total 300 points.
Participants usually have a limited amount of time to solve the challenges, though Jeopardy style events can be set to run indefinitely for practice or training purposes on the Arena Platform.
Challenge Types
In the Jeopardy format, Arena classifies challenges into the following types based on the solution type:
- Flag
- Question Answer
- Code Submission
- Manual Review
Scoring
Every challenge type (except for Manual Review) supports accepting multiple solutions which could be flags, answers,
test cases, etc. For each of these solutions, the challenge author can specify the points that the participant will earn
for solving the challenge. The total points for a challenge is the sum of points for all the solutions.
Arena supports two types of point systems for Jeopardy challenges - Dynamic & Static. In the Dynamic point system, the points for each solution are calculated based on the number of participants who have solved the challenge, and decay or reduce as more solves are received for the solution. In the Static point system, the points for each solution are fixed and set by the challenge author. You can read more about the point system in detail from here.
Attack-Defense (AD)
Attack-Defense (AD) is more competitive cyber game format where multiple participants, who are each given a server with a fixed set of services (challenges), compete against each other to attack other participants' servers and defend their own servers.
In this format, every participant server shall have the same set of services (challenges) running on it. These servers will be spawned by the Arena platform in an isolated VPC, and will be accessible only to the participants. Each participant will have a unique IP address for their server, and will be able to connect or attack (using some exploits) other participants' servers using their IP. Each participant will have command line access to their own server, and they will have to use VPN configuration to access the game network.
In the game, the participant needs to find vulnerabilities in the services running on their server, as planted by the challenge author. They then need to patch the vulnerability in their server, so that they can defend their server from being attacked by other participants. Now, knowing that other participants have the same services running on their servers, they can now write an exploit to attack other participants who have not patched the vulnerability.
Once they have successfully attacked other participants' servers, they can then find the flag in the service, and submit it to the Arena platform to earn points. At the end of each round, these flags will be changed, and a participant will able to attack again and earn points, if the services are still not patched by competitors. Also, at the end of each round, if the participant services were not attacked, i.e. no competitors were able to extract flags from participant's server, they will be awarded defense points. Also, there is a concept of SLA points, which is awarded to the participant for keeping their services live and functional throughout each round, calculated based on the minutes of uptime/downtime per round.
Attack Defense competitions are held for a fixed amount of time, the total duration is split into multiple rounds of equal duration. In each round, participants will be able to attack other participants' servers, and defend their own servers. At the end of each round, the scores will be calculated based on the number of services (challenges) that participants were able to successfully attack or defend.
Scoring
The score of a participant for each challenge (service) is derived by through attack, defense and SLA points. This can be summarized as follows:
Attack Points
Awarded to the participant on attacking and finding flag from the service of another participant. A participant can earn more points by attack the same service across multiple participants. However, they can only do so once per competitor participant in each round. They will be able to again attack the same service of the same competitor participant in the next round, provided that the competitor participant has not yet patched the vulnerability.
Defense Points
Awarded to the participant on defending their own service from being attacked by other participants. A participant earns defense points for each service each round for each competitor participant that does not attack their service. However, they can only do so once per competitor participant in each round. They will be able to again defend the same service of the same competitor participant in the next round.
SLA Points
King of the Hill (KOTH)
This feature is currently in development and is not yet available to public.
Feature Differences
| Feature | Jeopardy | Attack-Defense | King of the Hill |
|---|---|---|---|
| Scoring | Dynamic / Static Points for each Solve | Attack Points, Defense Points, SLA Points | - |
| Author can set Points | ✅ | ❌ | ❌ |
| Challenge Hints | ✅ | ❌ | ❌ |
| Challenge Types | ✅ | ❌ | ❌ |
| Difficulty Level | ✅ | ❌ | ❌ |
| Categories | ✅ | ❌ | ❌ |
| Tags | ✅ | ❌ | ❌ |
| Prerequisites | ✅ | ❌ | ❌ |
| Writeups | ✅ | ❌ | ❌ |