Server crash exploit

Discussion in 'Bukkit Help' started by rocketman679, Dec 11, 2011.

Thread Status:
Not open for further replies.
  1. Offline


    I currently run the GFF Servers (vanilla) and while I'm not entirely sure that I want to move to bukkit, I would like to know that if I did that these crashes would stop.

    There is an exploit that some hackers use to crash servers instantly, it is NOT a piston bug, related to spamming, an inherent server issue, an internet connection issue, a hardware support problem, a ddos (though it is commonly called that) ping flood, SYN flood, RST flood, or anything else not related to the minecraft itself. It is an exploit of the minecraft server code that causes it to go non responsive, and 100% cpu usage.

    I know there are ways of crashing servers by forcing them to try to generate map faster than the machine can handle, by exploring too fast. This MAY be my problem, but flying isn't enabled on my server and players are usually kicked for trying to super run through solid structures, so I'm not sure about that.

    According to MCP's decompilation of the craftbukkit source, it is identical to the vanilla server source (probably an MCP thing, doesn't seem right) so if it isn't built in to bukkit I want to know what plugin I should get to keep this from happening.
  2. Offline

    Nathan C

  3. Offline

    never heard of the server you posted. My server has 28 slots, and it has nothing to do with the server being "weak." It's an exploit, and I know that even small bukkit servers don't have the same problem, unless I'm just naive. I've never heard of this happening on other (non vanilla) servers.

    I also know that it isn't a fast exploration thing, because my server can generate chunks faster than it will let people explore them (by the "moved too quickly" limit) and this has been tested, besides occasionally people will "count down" when they do it and they aren't moving at all, or they're just wandering around spawn.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
    Last edited by a moderator: May 22, 2016
  4. Offline


    - bukkit is other code than vanilla I think, you use a lot of difficult words for a very easy problem =)
    - using bukkit you can install anti-cheat plugins so people cannot move faster
    - I don't think a server can crash because of to fast flying, I host a small server at my home, it doesn't have very good specs but with 10 man exploring in GM 1 it didn't crash so..

    Hope that convinced you going to bukkit?
  5. Offline


    the only video'ed example I've been able to find.

    You cant crash a server from flying with the normal client, you have to be speedhacking pretty hard. This is a well documented thing, but I know for a fact that isn't what's happening. I'm looking for a bukkit dev that knows what I'm talking about to be able to explain to me how this is done, so I can prevent it on my server (with or without bukkit).

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
    Last edited by a moderator: May 22, 2016
  6. Offline


    bukkit anti-cheat plugin, done. You don't need a dev for that and it's not like all the users but the devs are stupid.. ><
  7. Offline


    I need(ed) a dev because I wanted to understand how the exploit works in order to implement my own way of preventing it without going full bukkit. As it stands, I was able to get my hands on a code sample from a client that has the .crash, and I isolated the packet that causes it, allowing me to make a firewall rule against that specific packet. I still don't know how it works on a technical level, but at least I don't have to worry about it anymore. The payload of the packet (in hex) is 0x1b00000000000000007f7ffffd7f7ffffd0000, for anyone with my problem (though they probably won't look on a bukkit forum for a fix). If anyone could explain to me what this does to the server exactly that would be awesome. I was able to reproduce the crash using a packet injector and I can confirm that this is what does the damage.

    I wasn't trying to be rude, i just didnt want a bunch of super-skids telling me to just install nocheat. I know bukkit has methods of stopping the crash, I want to know HOW it does, and that is most likely a question for a dev.
  8. Offline


    So basically you don't want a dev, you want bukkit team member. Best would be to contact them on Twitter on try to get hold of them on the irc. You can also try to send them a private message on the forum. But posting here is definetly not the place to contact them, mainly without Tagging them with @
    You can find the list of bukkit team here (scroll to Bukkit Team) :

    I just found this link for you about protocol and packets (I don't know about these)

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
    Last edited by a moderator: May 22, 2016
  9. Offline


    There are hacked clients that try and load in the entire world to the game client.. This doesn't mean its generating in chunks.. It just means that their view distance is stretched as far as the world will let it. So if you have a huge map and someone uses the hack.. They will be able to view the entire map.. So your bandwidth and server resources will be used to upload that amount of data to the client.

    This will cause a temporary slow down or crash the game.. There are many plugins available for bukkit to help you prevent this.

    Personally.. I think it would be madness to host a vanilla server for the public. Simply because of the lack of control over the negative members of the community. Sadly they seem to be the majority..
  10. Offline


    If you're right sh8kesula, thanks. I would think that the "veiw distance" option in the file would stop that from being possible, but the symptoms do fit what you are describing. Anyways my server is actually pretty successful, and even more so now that I am able to protect it from these random dicks crashing it. As far as I know it is the only pure vanilla server on the web with any notable size. I'm going to be upping to 50 slots pretty soon. check it out: if you're interested in it at all, I know a good vanilla server is a rare bird.

    and yes sha8kesula, it probably is madness :p it takes a very active and dedicated administration staff, as well as some very sophisticated firewalling to keep it running. You have to be very creative. Like Minecraft!
  11. Offline


    @rocketman679 : I know for a fact that CraftBukkit servers can't be crashed with the packet that you showed a few posts above, because CraftBukkit discards packets of type 1b (= Packet27, an unused packet that serves no purpose atm.) immediatly. The normal minecraft server does accept this packet type and screws up when trying to process it, potentially resulting in a lockup/crash.

    EDIT: So if you want to fix it yourself, go to and set the server to not accept packets of id 27.
  12. Offline


    Thank you Evenprime, hopefully this will provide a more consistent fix than my firewall rule.
  13. Offline


    Not trying to spread panic here, but IF this problem is fixed in Bukkit by discarding that invalid packet, then we still seem to have a problem according to the youtube video posted above, because the internet superhero who shot it explains that he modified the exploit to also work with bukkit servers, and apparently successfully demonstrates it.
    So if anybody has any more information on this stuff it would probably be very appreciated by the community.
  14. Offline


    The video is from September, shortly after the update to 1.8.1 and it is not clear that the .crash showcased there is the same as mentioned above. CraftBukkit is just as vulnerable to such exploits as a vanilla server that shortly after an update. E.g. from the look of that crash and his description that powerful servers can withstand that attack, I'd expect it to be related to the "latency" measurement of minecraft. That had lots of problems that were fixed lateron, e.g. obscure infinite loops like this one:
  15. Offline


    That video is the same crash, but not the same exploit. The nodus client crasher is twofold: one part sends packet 27's to the server in an attempt to crash it, and the other spams it with large (5-10MB) packets. The second part is the "modification" the kid in the vid is talking about, and it was added to the mainstream Nodus client where it still exists, though the exploit has been patched. It is still possible to crash some very weak servers with it, but that second part is easy to protect from with a firewall. No minecraft server ever needs to accept a packet larger than about 800KB, so an incoming firewall rule against that basically nips it completely, if Bukkit is even still susceptible to it. Besides, a bukkit server receiving a packet 27 kicks instantly, before enough large packets have been sent to do any damage at all.
Thread Status:
Not open for further replies.

Share This Page