search

GeyserMC / Geyser

A bridge/proxy allowing you to connect to Minecraft: Java Edition servers with Minecraft: Bedrock Edition.
https://geysermc.org
MIT License
4.75k stars 686 forks source link

Unknown connections causing the geyser to crash velocity #4527

Closed jhqwqmc closed 7 months ago

jhqwqmc commented 7 months ago

Describe the bug

There are a few suspicious connections trying to connect to the server, but no actual connection is being made, resulting in an error.

To Reproduce

  1. I'm not exactly sure how these connections are being made
  2. Server crashes automatically

Expected behaviour

The server won't crash

Screenshots / Videos

No response

Server Version and Plugins

No response

Geyser Dump

No response

Geyser Version

2.2.2-SNAPSHOT (git-master-8590869)

Minecraft: Bedrock Edition Device/Version

No response

Additional Context

https://mclo.gs/a3rNz2W

NullOrNaN commented 7 months ago

Hey, this is likely related to this issue: https://github.com/GeyserMC/Geyser/issues/4510

jhqwqmc commented 7 months ago

Hey, this is likely related to this issue: #4510

Thank you, after investigation, it is indeed a memory leak. ca582674cc4538740303889bacfa98ca

Kas-tle commented 7 months ago

Are you still experiencing these connections?

jhqwqmc commented 7 months ago

Are you still experiencing these connections?

Let me test it

jhqwqmc commented 7 months ago

Are you still experiencing these connections?

The problem still exists

https://mclo.gs/dmWKAIv Here's the full log, there's no output after this because it crashed, due to a memory leak.

vapespb commented 7 months ago

Same issue, after 27-03-2024 in log I see this, many strange connections: https://mclo.gs/eRprzRJ

Most of these IP addresses are from China (I have never played with Chinese, so this is suspisious)

After update Paper and Geyser — problem still exist

NBT22 commented 7 months ago

What type of server are you running Geyser from?

jhqwqmc commented 7 months ago

What type of server are you running Geyser from?

VPS

The VPS and IP are shared by multiple machines. I suspect that there may have been a protocol attack, which caused a geyser memory leak by exploiting some protocol vulnerabilities.

jhqwqmc commented 7 months ago

Same issue, after 27-03-2024 in log I see this, many strange connections: https://mclo.gs/eRprzRJ

Most of these IP addresses are from China (I have never played with Chinese, so this is suspisious)

After update Paper and Geyser — problem still exist

Through reverse analysis of these IPs, I found that they are all quite normal IPs. I think the owners of these IPs should be controlled by some kind of computer virus.

Camotoy commented 7 months ago

Please supply a Geyser Dump if you are experiencing this issue.

jhqwqmc commented 7 months ago

Please supply a Geyser Dump if you are experiencing this issue.

When should I generate the dump, because geyser has crashed when there is a problem, but when there is no problem, geyser is normal.

Kas-tle commented 7 months ago

It can be generated now.

jhqwqmc commented 7 months ago

It can be generated now.

OK

jhqwqmc commented 7 months ago

https://dump.geysermc.org/NTGq7SF8CEDpHOm7tAaT80R3memlpmOS

abhisantos commented 7 months ago

I can confirm this is happening to my server too. Multiple chinese and french ips trying multiple connections to the 19132 port all the time!

I am running geyser on a dedicated server.

I updated to the latest geysermc today and the issue continues. Lots of chinese ips trying to connect.

Kas-tle commented 7 months ago

A few points to clarify:

jhqwqmc commented 7 months ago

But this is not a DOS attack, it is not fast, it just crashes suddenly.

abhisantos commented 7 months ago

A few points to clarify:

  • These bots are likely trying to use your Geyser instance to perform a denial of service attack on other servers
  • We patched their ability to use your server in such an attack in build 478 and later
  • Updating will not stop the connection requests, but it does prevent your server from being used in a denial of service attack
  • From what we've seen, the connection attempts themselves are not happening at a fast enough rate to degrade Geyser performance

If that is the case, nice to know. And thank you for the answer. Although its a bit annoying, we can live with that for now.

jhqwqmc commented 7 months ago

If there are just a lot of useless connection messages, you can use a standalone version of geyser to distinguish the logs, but no matter which version, it will crash because of these meaningless connections.

The current temporary solution is to use the standalone version of geyser and then restart using the restart script, This has the smallest scope of influence.

brother1p commented 7 months ago

I think it's the port scanner that's working, so connection messages are displayed.

GeneralTDog commented 7 months ago

But this is not a DOS attack, it is not fast, it just crashes suddenly.

Not a DOS targeting your server, rather an attack to use your server against other servers. 2 days ago they were able to use our server for an attack causing our hosting provider to lock down our server: (12.34.567.890 is the censored ip of our server and 117.149.000.00 the censored IP of the victim host)

> ##############################################################################
> # DDoS-Attack detected from host 12.34.567.890 #
> ##############################################################################
>
>
> TIME SRC SRC-PORT -> DST DST-PORT SIZE PROT
> ----------------------------------------------------------------------------------------------------------
> 2024-04-02 18:53:16.909125621 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:16.956794377 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:17.081092488 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:17.171113701 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:17.245074428 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:17.395252685 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:17.511952494 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:17.588138315 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:17.746376813 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:17.830696936 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:17.942296107 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.038402743 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.130917562 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.241121899 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.353009159 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.454874064 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.569765722 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.639975739 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.717842269 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.779454884 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.837675492 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.91165837 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.965890428 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:19.022805872 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:19.122020673 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:19.200598697 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:19.30703348 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:19.420852356 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:19.527609482 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:19.645878278 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:19.742486357 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:19.844281339 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:19.98975894 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:20.094193626 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:20.200191136 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:20.320490446 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:20.4487414 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:20.563539881 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:20.69522451 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:20.787469125 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:20.945594147 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:21.080623923 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:21.216649354 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:21.336734036 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:21.440574401 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:21.586071519 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:21.709249368 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:21.828432333 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:22.043367128 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:22.147169992 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:22.277595886 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:22.474732937 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:22.624952483 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:22.762477248 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:22.884386282 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:22.962889554 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:23.086080107 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:23.19955065 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:23.287708427 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:23.389323897 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:23.48187765 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:23.569431748 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:23.718129778 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:23.853424418 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP

I am a bit confused tho. As for now (2024-04-04T16:26UTC) i can't find any notification that there has been a security patch to a vulnerability that is being actively exploited. Not on the geyserMC website, neither via Console wehn we do a server startup, version check or here in Github. Was there an Information or PSA anywhere so this problem could've been avoided?

GeneralTDog commented 7 months ago

In addition to my previous comment i want to ask one thing regarding the vulnerability:

Was it only possible to redirect traffic using the vicitm (our server) as a proxy or is there a chanche of a takeover caused by the vulnerability? In addition to the latest xz utils vulnerability (CVE-2024-3094) and a case of a takeover, this would mean our team would have to inform our hosting provider to isolate the server and discuss further steps.

Kas-tle commented 7 months ago

We did an everyone ping in our Discord to notify people of the update. Geyser does not self update, though people have made unofficial plugins and docker containers that do so on restart. This vulnerability is not related to the xz utils vulnerability in any way and is limited in scope to UDP amplification of a specific packet.

GeneralTDog commented 7 months ago

We did an everyone ping in our Discord to notify people of the update. Geyser does not self update, though people have made unofficial plugins and docker containers that do so on restart. This vulnerability is not related to the xz utils vulnerability in any way and is limited in scope to UDP amplification of a specific packet.

Ah ok so joining the discord is mandatory i see welp my bad here. So theres no way an attacker could've gained root acces to our server exploiting the geyser vulnerability if i understood correct?

Kas-tle commented 7 months ago

This vulnerability does not allow any form of RCE or shell access and is limited in scope to the UDP amplification of a specific packet.

ShayBox commented 7 months ago

I'm glad to see the exploit has been fixed and the situation wasn't worse than it already was, but this shows an issue with Geyser. Having no Spigot, Bukkit, Modrinth, Curseforge, or Jenkins builds, and having no in-game security update join notification leads to people not knowing about important security updates unless they're in the Discord or monitoring GitHub. We need a security update message in-game, and it really needs to be in-game because in this case a console message would have been lost in the void of thousands of console messages.

Camotoy commented 7 months ago

Thank you for the feedback. We're exploring our options for this.