Southwest CCDC Regionals 2025

It's the end of March, which means the end to yet another season of the Southwest Regional Collegiate Cyber Defense Competition. It was a great year. The student teams and volunteer teams all did great. I'll try to do a series of posts with more details about various aspects of the competition when I can, but for now I wanted to do a quick overview while it's fresh in my mind.

What is CCDC?

In the Collegiate Cyber Defense Competition, teams of up to 8 college students compete in a simulated business setting to maintain service uptime, respond to business tasks, and defend their systems from attacks by a red team of professional hackers. The student blue teams each work for an identical copy of the same simulated business and do not interact directly with each other.

In the Southwest region, the season begins with an open virtual qualifier. Any team that signs up is allowed to compete in the remote half-day event, where the top 8 teams advance to the in-person regional competition, lasting two full days on site at The University of Tulsa.

Our team

For this season, and likely into the future, I'm responsible for SWCCDC's overall networking, game platform, and supporting infrastructure. My co-lead for the black team, Peter, owned the technical aspects of game delivery. We all do everything, though, and our awesome team does, too. We had several new faces this year, and we're hoping to expand even more!

We build as much of the competition environment in advance, virtually, as possible. Our event is always scheduled for the last weekend of TU's spring break, so as soon as classes end the prior Friday, we take over most of Helmerich Hall, the business college's main building, and start the physical deployment of our networks and other equipment.

This year, all staff officed out of our very busy build lab on the second floor. The network and infrastructure team deployed our supporting equipment by the end of the day on Saturday, equipping the entire team with a useful place to work. Our out-of-town volunteers arrived throughout the early part of build week.

Shot of a very messy build room at the venue

Our platform

In Southwest, we operate a private cloud environment where many of our services run. The SWCCDC Cloud, powered by OpenNebula, serves as both the cloud platform that we operate many services on ourselves and simulates a public cloud like AWS for the competitors.

OpenNebula shoulder shot

Scenario

For 2025, the scenario was based on a parody of the Pokémon franchise. The students' teams initially worked for Oak Industries, maintaining the cloud backend service powering the Pokédex, which records various information about pokémon. Transitioning into the regional competition, Oak Industries was acquired by the Devon Corporation, which manufactures pokéballs.

Technology

For qualifiers, our team built a custom web application for the "Pokédex," which was deployed to two cloud environments via a GitLab CI/CD workflow. For regionals, the blue teams were also asked to expand that service into an additional cloud region.

The company for regionals, Devon, was a Pokéball manufacturer. In the source material, Pokéballs are made from a raw material called apricorns. So, the regionals teams found their rooms had receipt printers in them that regularly printed receiving manifests of tracked and inventoried apricorns. They had to accept those shipments (or, ideally, write some glue code to automate that acceptance), or their Pokéball orders couldn't be fulfilled.

They also had to operate a legacy internal app, a password reset service, which used a compiled C program and CGI to reset office users' passwords. It had some serious flaws that could be (and were) exploited by the red team.

We did plenty of other things, too, like dynamic routing that included a mid-migration pair of routers, an old vulnerable Minecraft server, open Wi-Fi, a log aggregator, HR system, and working email.

Apricorn manifest receipts Receipt chaos Pokedex site from qualifiers

Fun stuff

Oh, and of course we got to have some fun, too. We found some oversized stuffed Pikachu plushes at Costco and placed "visit from Pikachu!" in the in-game store for a modest fake-money fee. It was well received, especially since Pikachu was way larger than the teams expected!

The red team also decided to pose as "Team Rocket" and had some fun with rhymes and wigs and rogue devices masquerading as Pokédexes.

Two oversized Pikachu plushes, one wearing a Black Team Lead badge An upside down 3D printed Pokémon-themed handheld device of some kind

More to come

I'll be writing about more specific aspects of the competition soon! So there will be more photos, more technical design information, and likely some source code, too.

links

social