Is there a plugin to null mass spam reconnecting?

My server has only been down 3 times in the last week, and I have reason to believe it's a griefer spam reconnecting (hundreds+ times per second)...

Here is my plugin request to get a fix. If anyone has any solution, please respond.

http://forums.bukkit.org/threads/req-urgent-anti-exploit-relogin-limiter.49337/

 

Well, they will keep connecting, I don't think you can stop it.
I can something, that will check if he connected withing some timespan, but I don't think this will fix your issue since he will keep connecting.

 

I believe MCBans can do this.

Code:

# throttleAll:
#       Activate throttling on all connections (true/false)
#       Limits the number of connections allowed in x seconds
throttleAll: false

# allConnectionTime:
#       Time (in Seconds) before the connection counter is reset globally
#       DEFAULT: 15
allConnectionTime: 15

# allConnectionLimit:
#       Maximum number of connections to the server in the above time limit
#       DEFAULT: 5
allConnectionLimit: 5

# allLockoutMsg:
#       Message displayed to user if the maximum connections to the server
#	in the specified time period is exceeded.
#       DEFAULT: "Too many connections! Please wait a few minutes."
allLockoutMsg: "Too many connections! Please wait a few minutes."

 

Yes, we use MCBans connection throttling. It greatly helped when we had hundreds of players logging in and out, and has yet to interfere with the "regular" players. Additionally, you can disable essentially all of the "ban" functions of MCBans if you just want to use the connection throttling and you run a different ban system.

Hope this helps!

 

Why not just ban his IP? the min he connects to your server you can track his IP....just paste that in to your IP Bans Text file...

 

IPs can change ... plus the reconnect can be done from multiple sources. Personally i wouldnt use MCBans to just use the throttle method cause its just 30 lines of code but have all events registered and active even if its deactivated via config.

Im currently thinking writing a plugin that focus on banning and how to avoid connection spamming would be perfect.
But ... as for shure a con-spammer will not stop connecting ... im quite unshure how this can be resolved by using a plugin cause the result "laggy server / crashed server" would only be slowed down.

Plus if someone only sends the logout packet ... is this actually an event that can be canceled? will this ever be catched by the event queue?

Normal spam behavior can be limited by using this logic: (non-hacked client)
- Player logs in
- Player is active and logged in for at least one minute
- Player logs out
-> Result: no ban.

Same procedure same username: But disconnects instantly -> result ban for one minute. If he tries to login again increase by the power of two. Maximum should be one hour.

Same way was used on linux failed login counts when entered a wrong password...

Problem: if the username changes and he is only sending logout or login packets without even trying to login ... same as mentioned: Dunno if this actually reaches the event queue or if this is only handled by the Net-Code.

So one solution maybe is writing a wrapper for the server instance. So that the real core doesnt even see those packets when spammed or using OS packet filter to drop those packets. Dunno if this slows done packet handling really but may be worth a try...

Last one needs knowledge of OS firewall. On Linux this can be done via netfilter package but on windows ....

 

The connection throttling feature isn't by player IP, is is by username, as well as a "global connection throttling" mode, in which all connections to the server are throttled.

I also limit via IPTables, although that is a bit iffy at times. Overall after adding MCBans login spam has dropped to null, without any drawbacks on CPU or RAM usage. It's up to you what you use, but until a plugin comes out that is definitive on doing this, then your options are limited. I'll speak with CrashDoom, and see if he can separate out the connection throttling code.

 

@sean.m.rice that would be awesome ^^ Speaking of iptables .. what exactly do you limit?

Next: If i understand you correctly when you use the mcbans throttle function it would prevent server crashes when constantly sending logout packages? Which would proove that the event will be fired even if only a LogoutPacket was send.

Second: Connection throttle per playername hmm ... ok but what about random names? Afaik the Packet wouldn't be ignored anyways and would cause a server crash.

Third: If someone decides to packet storm the server and he sends a random username along with logout packets wouldn't it cause a memory overflow too, because the username has to be saved during runtime?

Hopefully im not going too much into detail ... Just some thoughts about a clean solution for this.

 

@lycano - I ratelimit the all packets on the MC server port. It's been helpful in reducing packet spamming for movement, but not much else. I think it's relevant here too, because if someone is spamming the port with login/logout packets, they can't spam past the ratelimit set by IPTables.

I spoke to Crashdoom, and he said he'd start separating it out as a separate plugin. I'm not a plugin dev, so I don't know all the specifics of how the system works, but when dealing with AVO fanboys performing login/logout spam, it's been flawless. At first I was a bit leery because I figured it may be a bit prohibitive on my regular players, but after watching it carefully, there hasn't been a single problem.

EDIT: Just so you can take a closer look, here's the MCBans source: https://github.com/MCBans/MCBans

 

@sean.m.rice thanks man for your effort =) Ill have a look at it, when its seperated.

 

@lycano no problem, also, the IPTables assists when people feel like firing up LOIC at the server (note, I didn't say it totally works 100%). It basically prevents them from causing lag via packet storms for the most part. I'm working on writing a script to automatically detect and block connections from IPs that continuously violate the rule, but it may be a few weeks.