1. Guest, as per the stickied thread, this forum has not been in use since 2014. All bugs and feature requests should be posted to JIRA.

Bug BungeeCord + Spigot Vulnerable to RUDY DOS attack

Discussion in 'Bugs & Feature Requests' started by dreadiscool, Apr 18, 2013.

  1. Hey md_5,

    Here are the tests I performed

    All information on how to perform the exploit removed due to continued harassment by forum members.

    Test #1: Local CraftBukkit server, not using Netty
    The server was spammed with connections till the listener crashed with java.io.NotEnoughMemory spam, and it was unjoinable after approximately 2 seconds.

    Test #2: BungeeCord running latest developer build [w/ Netty]
    INSANE console spam, filled with stacktraces. Unreadable. During the attack, both logging in and pinging the server via Minecraft's in-game server list was impossible. However, other servers running on different ports were uanffected (this is a layer 7 attack anyhoo)

    Test #3: Staminus server running BungeeCord, oldish, [without netty]
    The server went down. However, after I stopped, within 20 seconds it came back. However, still to this point, it is not possible to ping the server via Minecraft's in-game server list. But, I can still join the server.

    I don't know if this can be resolved or not D:
    #1 dreadiscool, Apr 18, 2013
    Last edited: Apr 18, 2013
    • Like Like x 1
    • Informative Informative x 1
  2. SuperSpyTX


    • Like Like x 1
    • Funny Funny x 1
  3. SuperSpyTX Whatever, if this is the kind of response that comes from the community, the next time there's an exploit, count on me not to report it.
  4. I think he was just stating that it'd be better to PM md_5 about these kinds of things, not releasing them out into the open.
  5. SuperSpyTX


    You're only letting the cat out of the bag if you're publicly reporting a public vulnerability.

    You're actually an idiot for publicly posting about a potential attack to other servers, what if it was an attack that crashed servers instantaneously?
    • Agree Agree x 1
  6. It is confirmed that this attack as-is does not work against a remote CraftBukkit (i.e. no Spigot changes) server; although it does spam the console.

    Your test failed because localhost is exempt from the ratelimit.

    @dreadiscool edited to address concerns
    #6 Kane York, Apr 18, 2013
    Last edited: Apr 18, 2013
  7. Au contraire, BungeeCord has no ratelimit, and some servers remove the ratelimit, making this very valid.
  8. md_5

    Administrator Developer

    In the meantime why not just rate limit using iptables / your systems firewall. Additionally be aware that a Bungee rate limit, whilst I'm not against adding is verging on pointless due to the fact users can just use proxies. This isn't an RUDY attack, its just overflowing your server with more connections than it can handle. ie; generic layer 7 ddos.
  9. md_5 I guess the solution would be to write a plugin that limits the total amount of connections per second.
  10. CustomForms

    CustomForms Retired Moderator
    Retired Supporter

    Or just limit your rate using IPtables.
    • Agree Agree x 1
    • Informative Informative x 1
  11. SuperSpyTX


  12. SuperSpyTX


    Probably easy to port over if anyone else wants to do it.