Anti-Bot mode

[null321-jared]

In the past ~30 hours my server has been bombarded with bots. They are all with random names and they are all offline mode.

First, I will explain my process of combatting the bots, then I will follow it by how I think this feature should be implemented.

When the bot attack started to come, it caused things to become unstable, especially the hub and its wrapper. I first tried switching fastlogin to "switch" mode, so the bots couldn't join. This both helped and made things worse. It helped because the bots no longer clogged up the database―I actually needed to delete over 5000 rows of bots from the database. It made things worse because they still joined the hub, and when they joined they immediately disconnected, causing hundreds of lines per second in console crashing it and its wrapper. I lowered the max player count of the hub to 10, made it more stable but it eventually crashed. Now it's at 5. It's not fun to get into the server when the hub's max player count is 5. Last night I disabled authme and fastlogin and set the server to online mode. It did the trick, but by doing that I closed off half of my player-base.

These bots are ones that anyone can download pretty easily and attack any server with fastlogin. In this case, however, this person gained access to a unique IP address for every single bot. It is very difficult to deal with distributed attacks like these.

My proposed solution: If a configurable amount of cracked players join in a configurable amount of milliseconds, set the server to premium only for a configurable amount of seconds. If it happens again, it would double the time. For example, if 50 players join in 1500 milliseconds, set the server to premium for 600 seconds. If it happens again, it would double the time to 1200 seconds. When in premium mode, FastLogin should have minimal database usage to prevent overloading the server, since hundreds of bots are trying to join every second. All it should do is log which accounts successfully join as premium as it would normally do, to keep the account secure.

By setting the server to premium for a period of time, it will prevent all bots from joining except for those that bought leaked Minecraft accounts on the black market. Those on the black market are almost impossible to prevent since they are premium, but the average person cannot gain access to them.

If this feature gets added, it also makes sense for you to add a command that sets the server to prevent for a configurable amount of seconds.

Also why do you request that the proxy is set to offline mode? In the event where the plugin isn't loaded, it could cause vulnerabilities. Also, a few of my bungee plugins have features that break when it is in offline mode.

[Wearwolfy]

Good suggestion, I have been attacked plenty of times aswell But my server could handle it, hub lagged a bit but it was still functional

[null321-jared]

Are you planning on implementing this? If so, when? My server is still getting frequently attacked, it's getting attacked right now https://www.shadowxcraft.net/admintools/index.php?p=ban&pageNo=1

It's not crashing, but it's not easy to get into the server, and it's not fun being in the hub with the bots joining at an abnormal rate.

[games647]

Of course, that's I kept this open. Do you ever tried a anti join bot plugin?

[Wearwolfy]

Correct me if I am wrong but Authme has already an anti bot feature built-in although it doesn't work that good, speaking out of experience

[Wearwolfy]

Ok, but how do i fix that it starts registering players again? restart? Should i up the 600 value?

[games647]

It's rate-limit by the mojang server per IP. So you could only wait.

[Wearwolfy]

But how do I fix it now?

[games647]

Tell your users to use the command or wait until you allowed to make requests again.

[Wearwolfy]

After the bot attacked like 1 week ago, it looked like the timer reset, autoRegister stop working after the bot attacks, I checked the last 50 columns and only 4-5 premium players that i made premium myself

[Wearwolfy]

Could it be that its because of that I am not running the latest bungeecord version/fastlogin version? Just wondering

[Wearwolfy]

This is really urgent, if i restart the server and install anti bot will the issue be fixed?

[games647]

This depends on your anti bot system. If it blocks it before FastLogin sees anything about the player, yes.

Furthermore you could tell your users to use that command. If you inform all players, I don't see any issues there. Besides only new players have to do that during a bot attack. Moreover auto register is no required thing. I saw a couple of servers there auto register is turned off and only the players want auto logins, the player could turn it on.

[Wearwolfy]

You are not getting whats wrong. After a bot attack, the auto register doesn't work again until i restart the server. Yesterday i restarted my server and now autoregister stopped working again Otherwise there wouldn't be a problem indeed I also installed an anti-bot(for bungee) but this didn't help either.

[BOT-Neil]

I know this is late but @Wearwolfy did you try https://www.spigotmc.org/resources/dynamicantibot-bungee-bots-and-proxies-detection.18832/ ?

[null321-jared]

The antibot plugins I have tried don't work well with FastLogin. I just had another attack recently.

If I were to do this myself and submit a pull request, do you have any suggestions or things you want me to do?

[games647]

The antibot plugins I have tried don't work well with FastLogin. I just had another attack recently.

It's properly because FastLogins listens on Packets using ProtocolLib and after that a successful connection it fakes a new incoming packet. You could look into the StartpacketListener. It's the first packet we listen to (and second packet that we receive). This might help you understanding the protocol: http://wiki.vg/Protocol#Login

I started this project as a proof of concept that it's also possible to make it without any server modification. The problem is that it ignores some normal login events that some plugins listen too. It's only a problem for AntiBot plugins since they really depend on these event systems.

Sponge's Mixin project is an great alternative to packet listening way and it would make a lot of things easier to maintain (like without faking any packets), but it requires a lot of work.

[Eufranio]

Mixins cant be used used in bukkit plugins, unfortunately...

[games647]

@Eufranio According to some issues on the project, we need full control of the class loader which we only have using a "hacky" way

There are ways around this limitation but they're hacky and far from straightforward.

That's really sad, but it appears that MassiveCore found a solution for that. But:

• Documentation? How to register a new one? I found none so far
• Is there actual an API to register a new Mixin outside of the core project?
• MassiveCore is a "massive" plugin for just mixins
• Less features than Sponge Mixin
  • (License situation - appears to be MIT according to DBO)

[Eufranio]

I dont think MassiveCore uses the Sponge's Mixin O.o but if you find a way to, the wiki is quite well explained: https://github.com/SpongePowered/Mixin/wiki

[games647]

I dont think MassiveCore uses the Sponge's Mixin O.o

I know but it uses the same concept

[TKwSni]

Any chances to for this anti bot mode ? at least a IP Ban thing to add lists os proxy/vpns IPs to stop common attacks ?

I have received attack for some hours already, and there is no way to connect because fastlogin is trying to check if bot names are premium or not, then the mojang limit etc...

No antibot seems to works because i think fastlogin it's the first connection handler, or is it authme ?

[BOT-Neil]

I have a solution but it requires a subscription to https://proxycheck.io/dashboard/ and https://www.spigotmc.org/resources/1-7-1-13-bungee-spigot-mbanproxyvpn-no-vpn-proxy-countrychecker-universal.32744/

If you get those two things I made a plugin that when you are under attack it changes the config of mbanproxy to use my plugin to firewall with iptables instead of blocking it. It's quite a messy solution but it works. Would you like it @Blackyvk

[TKwSni]

Thanks but I think something like this should be incorporated in fastlogin..

Country ban, ip banlist, because not everyone has dedicated running their minecraft server If fastlogin let us ban IPs and Countries, and deny them from touching the auth, the mojang queries could be enough for some...

User wants to join > fastlogin checks IP > Is Country, IP, Proxy (all these stored in a database on the server for fast access, doing manual or automatic proxy list updates) Banned ? Yes/No > Yes? Deny the connection > No, continue to login

The server might be overloaded but, players could be able to login.