Implement Disconnect Spam / Rate limit for commands

uRyanxD commented 1 year ago

Bungeecord version

latest

Server version

all (Server version doesn't matter for this issue)

Client version

all (Client version doesn't matter for this issue)

Bungeecord plugins

None

The bug

I don't know much about this "exploit", I found out from LPX's Discord (anticrash plugin) apparently spamming bungee-commands can crash the proxy

Information extracted from the LPX discord: PROXY COMMAND SPAM Problem: You can spam proxy commands without any cooldown Versions: BungeeCord and other forks, Velocity Fixes: Put a proxy command limiter such as BetterSecurity Video: https://youtu.be/Ue_T5Zh1Hgk (nice one to SmogClient and @Null)

Log output (links)

I don't have logs, lpx discord is this: https://discord.gg/sPwM2ZE (I found the information about the vulnerability in the #vulnerabilities channel)

Checking

[X] I am using BungeeCord and not a fork. Issues with forks should not be reported here.
[X] I think this is not an issue with a bungeecord plugin.
[X] I have not read these checkboxes and therefore I just ticked them all.
[X] This is not a question or plugin creation help request.

Outfluencer commented 1 year ago

First of all you can't crash the server by spamming commands, you could make one netty thread lag that is executing you commands. Second, by sending that much commands you could create a simple firewall to fix this by dropping too much traffic as nothing should lag if you're not sendin 10000 commands or more a second. And my last thoughts are about why it is lagging, i think its maybe lagging cause chatcomponent genreation when sending the no permission message or the /bungee output so we could add a cache for string to components