search

games647 / FastLogin

Checks if a minecraft player has a valid paid account. If so, they can skip offline authentication automatically. (premium auto login)
https://www.spigotmc.org/resources/fastlogin.14153
MIT License
494 stars 121 forks source link

Rate Limit Hit, Premium get asked for password on ongoing bot attack #357

Closed Redwolf223 closed 2 years ago

Redwolf223 commented 4 years ago

What behaviour is observed:

When we are getting attacked by massive influx of bots, premium players are being asked to login with their password, this means that AutoLogin isn't working.

Some of our premium players don't own a password. This is because we have migrated from another AutoLogin system so the AutoLogin was automatically active for them because they were already assigned as premium user on MySQL.

What behaviour is expected:

//: # Auto Login to be performed.

Steps/models to reproduce:

//: # Getting attacked by 800 bots/s.

Screenshots (if applicable)

Plugin list:

Bungee server Plugins : Staffchat , SkinRestorer, ServerListPlus , MultiLobby , LuckPerms Bungee, LiteBans , GlobalBroadcastBungee, FastLogin bungee, F3Name , BuyCraftX , BungeeReport, AuthmeBungee, AntiBotDeluxe universal

Authentication server Plugins (13): LuckPerms, FastAsyncWorldEdit, IPWhitelist, EasyWhitelist, ViaVersion, CustomAuth, ViaBackwards, ProtocolLib, ViaRewind, WorldEdit, AuthMe, HolographicDisplays, FastLogin

Environment description

MySQL

Plugin version or build number (don't write latest):

1.11 , we tried with the build #949 but the problem persisted.

Server Log:

//: # 31.05 23:22:10 [Server] WARN [FastLogin]: Rate Limit hit - Ignoring player [/51.77.68.123:55636|iSiu_-1971] <-> InitialHandler

Configuration:

Hastebin / Gist link of your config.yml file

Config : https://pastebin.com/gk8kXh7K

games647 commented 4 years ago

Update your config, you can adjust the values yourself:

https://github.com/games647/FastLogin/blob/master/core/src/main/resources/config.yml#L15

Redwolf223 commented 4 years ago

We tried with the new config, but left it with the standard Antibot values and everytime we had more than 600 connections/s FastLogin stopped working.

Maybe we had to adjust the values better, do you think that adjusting it to 100000 connections and 1 minute for Expire makes any sense? Thank you

Or what would be your suggestion for 800 bots/s?

games647 commented 4 years ago

We tried with the new config, but left it with the standard Antibot values and everytime we had more than 600 connections/s FastLogin stopped working.

That's exactly what this feature is about.

Maybe we had to adjust the values better, do you think that adjusting it to 100000 connections and 1 minute for Expire makes any sense? Thank you

This setting is about CPU usage, because it drops all handling of the player. If your server has no problem fulfilling the database and network requests, you can turn it up.

Malachiel87 commented 4 years ago

i would suggest instead blocking autologin event, i woud blocking only players that are not present in fastlogin databse and allow onlnly login for the already registred player when the antibot is triggered , would be a more better clever idea i think, like the authme antibot

games647 commented 4 years ago

i would suggest instead blocking autologin event, i woud blocking only players that are not present in fastlogin databse and allow onlnly login for the already registred player when the antibot is triggered , would be a more better clever idea i think, like the authme antibot

This was implemented with the idea behind that it should have do no database or network lookups at all. The issuer complained about a too high database load. However it could be caused by the Minecraft servers too in that situation. I don't think Minecraft/Bungee plugin serve well for bot protection.

Malachiel87 commented 4 years ago

yeah i know but my teory should work like this, because your method is pretty useless and harmful (increasing the value too much will lead the server to crash) i think vs the bots, i suggest to do this: When rate limit happen:

Another solution would be to lower temporany the login priority so is protected by antibot or other antibot plugin.

iSilviu-debug commented 4 years ago

I also have this kind of problem, and I strongly recommend that we put a very low access priority by getting it to go first from an antibot. Then, if this doesn't work, lock the bot connections without passing them to MySQL while a player enters the server, using the antibot that kicka the bots, enable the premium function by passing it to mysql.

games647 commented 4 years ago

I also have this kind of problem, and I strongly recommend that we put a very low access priority by getting it to go first from an antibot.

FastLogin already has low priority events, but it's how BungeeCord is designed that still both plugins will work concurrently. EDIT: BungeeCord has no direct dependency concept for async tasks.

I said that multiple times, that I'm happy if FastLogin could hook into these plugins as long as they provided a public accessible API. I didn't received a reply in two instances of paid plugins. Besides that it's also possible to cancel the login events that FastLogin fires. So both directions will work.

madebyfusion commented 4 years ago

Hey @games647,

I hope you are doing fine. I'm the developer of AntiBotDeluxe. Could we chat somewhere to look at this issue?

Much appreciated.

games647 commented 4 years ago

We already had a discussion on Discord. We could use the same channel again.

madebyfusion commented 4 years ago

Contacted you.