Looking into Minecraft denial of service.

Preface

For years, denial of service attacks have been a risk all Minecraft server owners had to take into account. With DDoS mitigation still being in its infancy by the time Minecraft gained popularity, many networks had to orient and build their servers around providers that allowed them to grow unaffected.

Introducing OVH

OVH has quickly risen out as one of the most reliable hosting providers which included denial of service mitigation. Their low pricing, along with the always improving infrastructure meant they were in the reach of most server owners while not hurting profit margins. With many enterprise networks currently embracing OVH as the best solution out there, and hosting providers reselling their services to the casual server market at a low price, the issue seemed fixed.

Minecraft-specific denial of service attacks

Just as any application that interacts with the internet, Minecraft needs a protocol (eg: a language) to allow the client and server to communicate. The popularity of Minecraft meant the protocol specification was reverse-engineered and publicized. With the protocol in hand and most of the server software open-sourced, malicious developers began developing software to crash servers. Plugin developers started popping up and providing solutions to denial of service attacks, most of them expensive and having ties with known denial of service perpetrators. While this has reduced the risk for a while, it only meant there was more on the line.

My initial solution

While working with the Gamster team, their decision not to pursue a long-term solution and instead resort to paying monthly "blacklisting" fees made me look into alternatives that would be able to handle large amounts of bots without large performance hits to the server. My solution was to combine ipsets with iptables to reduce the number of bots that would reach the server to a graspable amount. This was enough to prevent the pre-existent antibot plugins from being overloaded and crashing the server. The solution was presented to gamster management and was quickly implemented and further open-sourced for everybody to use. My post on spigotmc was moderately successful, with many antibot providers starting to implement the solution in an attempt to improve their plugins' ability to deal with large amounts of bots. Sadly, most of these implementations missed the idea behind the solution, and didn't result in major improvements to mitigating speed:

  • ipsets were used to blacklist bots instead of to whitelist real players.
  • There was no limit to the number of connections the server would have to handle, which meant large attacks were still able to cripple networks and shut down networks. While we further developed our solution and catered it to Gamster's infrastructure, the community was yet to adopt a widely effective strategy for mitigating botting.

Bungeecord Forks

A few Russian servers quickly developed their own in-house solution to handle botting, using drop checks along with captchas to detect and block bots from joining the server. While this was initially not widely adopted by the Minecraft community, several paid bungeecord forks such as Aegis have made using this system easy to grasp. This was enough to handle most attacks under 5000 connections per second but had trouble when attacks started overwhelming the system as a whole. Enterprise networks were still not covered.

TCPShield

TCPShield is a new solution that quickly came to popularity. Since their proxy services are currently free of charge, many servers have hopped on the train and finally received reasonable and accessible mitigation from Minecraft denial of service attacks. Even so, there were situations where people were denied from using tcpshield, still leaving a gap to be closed.

Our updated solution

With many networks contacting us to help mitigate their own botting issue, we have found a combination that has good results and is completely free of charge and can be used in-house:

  • This Shell Script limits the maximum amount of connections your server will need to mitigate, making it easier for plugins to mitigate large attacks.
  • The 2LS Antibot is a free and barely intrusive method to mitigate the bots that manage to pass through and smart bots at the same time.
  • Depending on your infrastructure, a tool to automatically whitelist player IPs when they are validated to be true players (10+ minutes in-game, joined a server outside of your lobby servers, or when they finish a challenge) is recommended. For example, at gamster, we use a REST API to automatically update the ipsets on all of our haproxy servers every 5 minutes and whitelist our trusted players from being tested by the system.