Latest News Article

[NINJ4]

So earlier tonight I had a rather unique spammer that rejoined nonstop using various (probably spoofed) IPs. It's probably just a spam of packets attacking the server with obviously fake origin IPs. What I want to know is if there's a way to block this kind of exploit?

Here's a server log excerpt, it goes on like this for an hour or so...

2012-02-22 00:19:52 [INFO] Connection reset
2012-02-22 00:19:52 [INFO] deenore lost connection: disconnect.endOfStream
2012-02-22 00:19:52 [INFO] deenore left the game.
2012-02-22 00:19:52 [INFO] YuMaNIGAPHOROS [/72.28.171.143:2760] logged in with entity id 6894806 at ([world] -2.0, 67.0, -2.0)
2012-02-22 00:19:52 [INFO] YuMaNIGAPHOROS joined the game.
2012-02-22 00:19:52 [INFO] connect from ip 72.28.171.143
2012-02-22 00:19:52 [INFO] Disconnecting Demian123 [/174.51.154.147:1629]: Failed to verify username!
2012-02-22 00:19:52 [INFO] <Vue>: shushaboutold
2012-02-22 00:19:52 [INFO] Disconnecting xXsparyNprayXx [/207.254.137.26:19108]: Failed to verify username!
2012-02-22 00:19:52 [INFO] willas88 [/74.197.185.48:3187] logged in with entity id 6894807 at ([world] -2.0, 67.0, -2.0)
2012-02-22 00:19:52 [INFO] willas88 joined the game.
2012-02-22 00:19:52 [INFO] connect from ip 74.197.185.48
2012-02-22 00:19:53 [INFO] ypchu lost connection: disconnect.endOfStream
2012-02-22 00:19:53 [INFO] Connection reset
2012-02-22 00:19:53 [INFO] ypchu left the game.
2012-02-22 00:19:53 [INFO] doreamon lost connection: disconnect.endOfStream
2012-02-22 00:19:53 [INFO] doreamon left the game.
2012-02-22 00:19:53 [INFO] <firestar101779>: Yay!
2012-02-22 00:19:53 [INFO] wood01 lost connection: disconnect.endOfStream
2012-02-22 00:19:53 [INFO] wood01 left the game.
2012-02-22 00:19:53 [INFO] Connection reset
2012-02-22 00:19:53 [INFO] GB6801 [/71.227.242.52:49900] logged in with entity id 6894808 at ([world] -2.0, 67.0, -2.0)
2012-02-22 00:19:53 [INFO] GB6801 joined the game.
2012-02-22 00:19:53 [INFO] connect from ip 71.227.242.52
2012-02-22 00:19:53 [INFO] xsguns lost connection: disconnect.endOfStream
2012-02-22 00:19:53 [INFO] xsguns left the game.
2012-02-22 00:19:53 [INFO] DanNozza [/71.7.164.93:4519] logged in with entity id 6894809 at ([world] -2.0, 67.0, -2.0)
2012-02-22 00:19:53 [INFO] DanNozza joined the game.
2012-02-22 00:19:53 [INFO] connect from ip 71.7.164.93
2012-02-22 00:19:53 [INFO] deinHeimvater lost connection: disconnect.endOfStream
2012-02-22 00:19:53 [INFO] deinHeimvater left the game.
2012-02-22 00:19:53 [INFO] zlacher lost connection: disconnect.endOfStream
2012-02-22 00:19:53 [INFO] zlacher left the game.
2012-02-22 00:19:53 [INFO] Disconnecting zakk01 [/80.63.56.147:52376]: Failed to verify username!
2012-02-22 00:19:53 [INFO] Disconnecting xPythonx [/61.10.17.27:4063]: Failed to verify username!
2012-02-22 00:19:54 [INFO] Connection reset
2012-02-22 00:19:54 [INFO] winning11 [/80.167.238.77:33611] logged in with entity id 6895243 at ([world] -2.0, 67.0, -2.0)
2012-02-22 00:19:54 [INFO] winning11 joined the game.
2012-02-22 00:19:54 [INFO] connect from ip 80.167.238.77
2012-02-22 00:19:54 [INFO] willas88 lost connection: disconnect.endOfStream
2012-02-22 00:19:54 [INFO] willas88 left the game.
2012-02-22 00:19:54 [INFO] Connection reset
2012-02-22 00:19:54 [INFO] YuMaNIGAPHOROS lost connection: disconnect.endOfStream
2012-02-22 00:19:54 [INFO] YuMaNIGAPHOROS left the game.
2012-02-22 00:19:54 [INFO] Connection reset
2012-02-22 00:19:54 [INFO] Disconnecting ww29nadroj [/85.65.60.75:3207]: Failed to verify username!
2012-02-22 00:19:54 [INFO] GB6801 lost connection: disconnect.endOfStream
2012-02-22 00:19:54 [INFO] GB6801 left the game.
2012-02-22 00:19:54 [INFO] Disconnecting zoom90 [/98.214.154.230:8421]: Failed to verify username!
2012-02-22 00:19:54 [INFO] Connection reset
2012-02-22 00:19:55 [INFO] Connection reset
2012-02-22 00:19:55 [INFO] DanNozza lost connection: disconnect.endOfStream
2012-02-22 00:19:55 [INFO] DanNozza left the game.
2012-02-22 00:19:55 [INFO] gibson66 [/219.142.12.54:10619] logged in with entity id 6895484 at ([world] -2.0, 67.0, -2.0)
2012-02-22 00:19:55 [INFO] gibson66 joined the game.
2012-02-22 00:19:55 [INFO] connect from ip 219.142.12.54
2012-02-22 00:19:55 [INFO] Disconnecting zootboy [/24.217.87.23:3419]: Failed to verify username!
2012-02-22 00:19:55 [INFO] [vip] <spikeabike>: ffs
2012-02-22 00:19:55 [INFO] Disconnecting xtension2k2 [/14.35.249.40:9109]: Failed to verify username!
2012-02-22 00:19:56 [INFO] Connection reset
2012-02-22 00:19:56 [INFO] winning11 lost connection: disconnect.endOfStream
2012-02-22 00:19:56 [INFO] winning11 left the game.
2012-02-22 00:19:56 [INFO] Disconnecting XRACER1 [/58.185.112.164:12118]: Failed to verify username!
2012-02-22 00:19:56 [INFO] Disconnecting wright1 [/24.159.143.110:3050]: Failed to verify username!
2012-02-22 00:19:56 [INFO] Zack331 [/71.202.164.52:1599] logged in with entity id 6895639 at ([world] -2.0, 67.0, -2.0)
2012-02-22 00:19:56 [INFO] Zack331 joined the game.
2012-02-22 00:19:56 [INFO] connect from ip 71.202.164.52
2012-02-22 00:19:56 [INFO] Disconnecting flexifoil [/76.171.81.141:2321]: Failed to verify username!

[Lord_Ralex]

We were hit with a similar effect. This is what we determined was a Spam-bot client designed to basically spam client connections to a server in an attempt to kill it basically. The only real effective solution we had was to just whitelist the server and ban all the accounts that were attempting to connect.

[GoldenApple231]

http://dev.bukkit.or...mods/spamguard/ - SpamGuard, works good.

[atlaw01]

Lord_Ralex, on 22 February 2012 - 07:16 AM, said:

We were hit with a similar effect. This is what we determined was a Spam-bot client designed to basically spam client connections to a server in an attempt to kill it basically. The only real effective solution we had was to just whitelist the server and ban all the accounts that were attempting to connect.

Why whitelist? Isn't saying /ban <name> faster than whitelisting all the people that normally play? :L anyway... Yeah... =


^^^I know that was unnecessary ^^^

[AmberK]

No, because they're joining/leaving within seconds atlaw. A simple way to fix this is disable login messages for new players. Or, if you want, across the whole board: http://dev.bukkit.or.../royalmessages/

[LanderVis]

I think NoCheat is able to block this kind of spam, but I'm not sure.

[NINJ4]

@LanderVis: Sorry, I already have NoCheat installed, it did not help a bit against this onslaught.

@AmberK: This looks like a great solution, but it's not really something we want for our server full time, but I'll definitely keep it downloaded so I can load it up if there's another attack like this one.

@GoldenApple231: That plugin looks great for chatspam (to finally upgrade away from SpamHammer), but as far as I can tell from their dev.bukkit page they don't support connect/disconnect spam like this... Maybe I'm missing something?

@Lord_Ralex: That was what I was considering doing, but since not every account that was being used was a first-time joiner, it would have been difficult. I'm looking for a more automatic solution if possible.

[AmberK]

This is the way we do it:

Guests on our server do not have login/logout messages.
Guests cannot speak
Guests cannot build
Guests can only rank up by completing the server tutorial and answering questions correctly.

[Lord_Ralex]

Yeah, well, what I had done was really just grab my AntiMulti plugin and activate its group whitelist, which allowed our regular players to connect and such, but prevented new players from connecting. It is what I had did, and it also natively helped to show down the spam since not every account had its own IP, so it did help to show that down. It is better than a whitelist, and it did help a bit there.

It does help natively slow it down, but it needs a mod to activate the whitelist feature.

Just found this: http://dev.bukkit.or...-mods/nopwnage/ Seems to be a counter to this, but is not really settled down and such. Something to watch.

[NINJ4]

@Lord_Ralex
I can't find anywhere on that plugin's description that it deals with this sort of spam, it seems to me that it only deals with chat messages unless I'm missing something...

AmberK, on 22 February 2012 - 01:21 PM, said:

No, because they're joining/leaving within seconds atlaw. A simple way to fix this is disable login messages for new players. Or, if you want, across the whole board: http://dev.bukkit.or.../royalmessages/

I've found a good way to temporarily disable join/leave messages using this plugin! Thanks for bringing it to my attention.

By utilizing this plugin in combination with Plugin-Reloader, we can easily keep spammers at bay. Even better, since one of our normal message plugins (FirstJoin) conflicts with rMessages, unless FirstJoin is disabled, rMessages has no effect. I have given all Staff Members on the server the ability to perform "/plugin unload FirstJoin" to combat the spammers.


Thanks for the help guys, I hope this thread helps other people combat this join/leave spam. My server is nominally back to normal and we're busily banning all the compromised accounts!

[hamstain]

NINJ4, on 23 February 2012 - 01:21 AM, said:

@Lord_Ralex
I can't find anywhere on that plugin's description that it deals with this sort of spam, it seems to me that it only deals with chat messages unless I'm missing something...


I've found a good way to temporarily disable join/leave messages using this plugin! Thanks for bringing it to my attention.

By utilizing this plugin in combination with Plugin-Reloader, we can easily keep spammers at bay. Even better, since one of our normal message plugins (FirstJoin) conflicts with rMessages, unless FirstJoin is disabled, rMessages has no effect. I have given all Staff Members on the server the ability to perform "/plugin unload FirstJoin" to combat the spammers.


Thanks for the help guys, I hope this thread helps other people combat this join/leave spam. My server is nominally back to normal and we're busily banning all the compromised accounts!

This plugin blocks disconnect/reconnect spam as well. Not sure if they intend to patch it to R5 though.

http://forums.bukkit...1-0-0-r1.29726/

[jefe323]

This plugin can also prevent login/logout spam: http://dev.bukkit.or...rver-mods/stab/

[Lord_Ralex]

jefe323, on 24 February 2012 - 03:37 PM, said:

This plugin can also prevent login/logout spam: http://dev.bukkit.or...rver-mods/stab/

IIRC, we had that on our server and it did not do anything. I think that one is only a chat-spam protection plugin, also looked at the page and did not say it countered this.

[jefe323]

Lord_Ralex, on 24 February 2012 - 07:22 PM, said:

IIRC, we had that on our server and it did not do anything. I think that one is only a chat-spam protection plugin, also looked at the page and did not say it countered this.

I've only heard this from word of mouth, never actually had a chance to test it myself. I think McBans also prevents login spam

[NINJ4]

1.2.3 seems to do a good job of blocking this kind of spam on its own. I had another attack against my server the day after we updated, and only one in ten joins were actually displayed in the server chats, the rest showed up later as "lost connections" in the server logs.

[conqerer2]

It seems to me like just hiding the login/logout messages won't do anything to stop it. They're still connecting and disconnecting, which takes up system resources. I think whitelisting is the only solution, as it looked like you had different accounts logging in and out. How would a plugin block hundreds of different accounts?

[AmberK]

conqerer2, on 07 March 2012 - 04:55 PM, said:

It seems to me like just hiding the login/logout messages won't do anything to stop it. They're still connecting and disconnecting, which takes up system resources. I think whitelisting is the only solution, as it looked like you had different accounts logging in and out. How would a plugin block hundreds of different accounts?

Ralex's AntiMulti has group whitelisting.