Server Crasher / Spam large packets

[Andre8900]

Short description of the issue.

A Hacked Client has a "Server Crash" function implemented, which spams "CUSTOM_PAYLOAD"-Packets (using minecraft's book channels) with max size. The NCP packet frequency check doesn't block it, because it doesn't spam that much packets, but really big ones. This makes the server lag really hard and finally crash.

Complete output of the ncp version command (please prefer text here).

---- Version information ----

Server

git-Spigot-db6de12-d3e0b6f ~MC: 1.8.8~ detected: 1.8.8

NoCheatPlus

Plugin: 3.15.2-SNAPSHOT-sMD5NET-b1113 MCAccess: 1.8.4-1.8.8 / Spigot-CB-1.8_R3 Features: blocks: BlocksMC1_4 | BlocksMC1_5 | BlocksMC1_6_1 | BlocksMC1_7_2 | BlocksMC1_8 checks: FastConsume | Gutenberg | AttackFrequency | FlyingFrequency | KeepAliveFrequency defaults: pvpKnockBackVelocity packet-listeners: UseEntityAdapter | MovingFlying | OutgoingPosition | KeepAliveAdapter | SoundDistance | CatchAllAdapter Hooks: AllViolations~NCP~ 1.0

Related Plugins

ProtocolLib v3.6.5

How to reproduce the issue (is it random / always happens / side conditions)?

Well, as the EaZy Client is a paid client, just send max-sized CUSTOM_PAYLOAD-packets frequently in your client (you probably have the source to debug)

Have you made any (noteworthy) changes to the default configuration of NCP?

No...

Do you run any other special plugins that affect game mechanics next to NC+ (adding skills, machines, adding/changing blocks, other anti cheating)?

No... (even tried with ProtocolLib and without)

Provide additional information, such as error/debug/violation logs. (For reproducible issues with moving consider: https://github.com/NoCheatPlus/Docs/wiki/Debugging#on-the-fly-debug-output-for-individual-players) Use GitHub gists or http://pastebin.com/ or similar for huge logs, or attach a (zip-) file here. For image uploads, please prefer a site that allows viewing without JavaScript, you can upload file attachments for issues right here.

[0-x-2-2]

CUSTOM_PAYLOAD packets are also used by bungeecord.

[Janmm14]

No, not directly.

[0-x-2-2]

just tested CUSTOM_PAYLOAD packets of any size do not lag the server at all

[Janmm14]

It lags the server when sending some data in the book edit channel, probably some data which causes huge deserialization tasks

[Andre8900]

Exactly. The channels I was talking about (I don't know whether others work too) were "MC|BEdit" and "MC|BSign". I have coded that crasher myself, so if you need the source code, just tell me...

[ghost]

Doesn't bungeecord block packets that do this?

[Janmm14]

Nope.

Btw here is a plugin which blocks the crash: https://www.spigotmc.org/resources/custompayloadfixer-bungeecord-bukkit-spigot.39891/

[ghost]

It looks like that plugin wouldn't block everything that you can do with a custom payload packet

[ghost]

Command blocks, villagers, beacons, etc also use payload packets and they can be used to crash the server too.

[RoboMWM]

I think paper covers this issue if I'm not mistaken?

[0-x-2-2]

@RoboMWM yeah this is for outdated minecraft

[asofold]

Two directions, because this might pop up again and again:

1. Add a frequency check, that pulls the weight of a packe on the table, i.e. length std_frequency weight_by_packet_type * global_weight_for_balancing could be the score to apply, for packets larger than so and so bytes.

2. Add a check that specifically tests this packet / type of exploit, in case we can detect it for the first packet.

3. Clearly should be possible. 2. Might be slightly faster to add, but only pays off, if we really hit the first packet with no false positives. It also should be resilient to alterations of the client code.

[Janmm14]

@v0idst4r But just the book channel can probably be abused because just there the client sends nbt if I'm not mistaken.

[RoboMWM]

In that case, the aforementioned plugin will solve your issues, which I'm assuming you're already using (or a similar server-side patch. Or updated, hopefully).

In my opinion, NCP's job is to fix exploits due to intentional design decisions, such as having the majority of all movement performed client-side. NCP imposes more checks than the vanilla server in validating what the client has sent.

Exploits like these are not due to intentional design/are logical errors, such as the recent crafting book exploit - which similar to this exploit, was fixed in an update by Mojang (and generally a few days earlier by Spigot/Paper). Other plugins of course can patch these - but for NCP, this is outside of its scope.

[0-x-2-2]

tbh I agree with this

[DemoDev1212]

LOOOL