1. Guest, as per the stickied thread, this forum has not been in use since 2014. All bugs and feature requests should be posted to JIRA.

Crash Ddos Layer7 Attack :( Any Help Appreciated

Discussion in 'Bugs & Feature Requests' started by saxon12, Mar 24, 2013.

?

Did you have the same issue?

  1. Yes

    50.0%
  2. No

    50.0%
  1. Hi Spigot,

    I first want to thank the Spigot team for Netty support. It has eliminated so many network issues. But one still remains. As you may know, there is a Ddos type called "R-U-Dead-Yet" witch is classified as Layer 7. My server has been under attack with the so called technique for 5 days. I looked everywhere on the net, did all the research I could but couldn't find anything. The only thing I found that the attack is called RUDY. So I am HOPELESS and need your HELP, PLEASE :(

    System properties:
    Linux Centos 6.3
    Spigot RB #617 (with snapshot-protocol)
    With or without plugins, same issue


    This is what shows up in the logs:

    Protocol error:
    Code (Text):
    [INFO] Disconnecting /202.51.226.140:47382: Protocol error
    [INFO] Disconnecting /202.51.226.140:47382: Protocol error
    [INFO] Disconnecting /202.51.226.140:47382: Protocol error
    [INFO] Disconnecting /202.51.226.140:47382: Protocol error
    [INFO] Disconnecting /202.51.226.140:47382: Protocol error
    (this repeats over 100 times per milisecond, ip changes every minute)

    Bots:
    Code (Text):
    [INFO] Disconnecting RIQTQPCHCXIH [/120.132.132.119:2063]: Outdated client!
    [INFO] Disconnecting UXIVBSFLSOOR [/1.179.147.2:51325]: Outdated client!
    [INFO] Disconnecting VKMQVYVNKNLP [/1.63.18.22:54827]: Outdated client!
    [INFO] Disconnecting HFLSJSXFQDJB [/82.114.95.238:51150]: Outdated client!
    [INFO] Disconnecting FQOJSIYJNHUO [/221.215.155.38:48143]: Outdated client!
    [INFO] Disconnecting KHIPOBQLYUNI [/222.89.154.6:55125]: Outdated client!
    [INFO] Disconnecting MWFXFLPHBQBV [/200.196.51.130:39502]: Outdated client!
    (always there, 50 times per second)

    Packet errors:
    Code (Text):
    [WARNING] Failed to handle packet: java.lang.NullPointerException
    java.lang.NullPointerException
            at net.minecraft.server.v1_4_R1.PlayerList.isOp(PlayerList.java:767)
            at org.bukkit.craftbukkit.v1_4_R1.entity.CraftPlayer.isOp(CraftPlayer.java:71)
            at org.bukkit.permissions.PermissibleBase.isOp(PermissibleBase.java:36)
            at org.bukkit.permissions.PermissibleBase.recalculatePermissions(PermissibleBase.java:150)
            at org.bukkit.permissions.PermissibleBase.<init>(PermissibleBase.java:29)
            at org.bukkit.craftbukkit.v1_4_R1.entity.CraftHumanEntity.<init>(CraftHumanEntity.java:41)
            at org.bukkit.craftbukkit.v1_4_R1.entity.CraftPlayer.<init>(CraftPlayer.java:64)
            at org.bukkit.craftbukkit.v1_4_R1.entity.CraftEntity.getEntity(CraftEntity.java:37)
            at net.minecraft.server.v1_4_R1.Entity.getBukkitEntity(Entity.java:1406)
            at net.minecraft.server.v1_4_R1.EntityHuman.getBukkitEntity(EntityHuman.java:46)
            at net.minecraft.server.v1_4_R1.EntityPlayer.getBukkitEntity(EntityPlayer.java:807)
            at net.minecraft.server.v1_4_R1.PlayerList.attemptLogin(PlayerList.java:241)
            at net.minecraft.server.v1_4_R1.PendingConnection.d(PendingConnection.java:126)
            at net.minecraft.server.v1_4_R1.PendingConnection.c(PendingConnection.java:50)
            at org.spigotmc.netty.NettyServerConnection.b(NettyServerConnection.java:72)
            at net.minecraft.server.v1_4_R1.MinecraftServer.r(MinecraftServer.java:600)
            at net.minecraft.server.v1_4_R1.DedicatedServer.r(DedicatedServer.java:228)
            at net.minecraft.server.v1_4_R1.MinecraftServer.q(MinecraftServer.java:489)
            at net.minecraft.server.v1_4_R1.MinecraftServer.run(MinecraftServer.java:421)
            at net.minecraft.server.v1_4_R1.ThreadServerApplication.run(SourceFile:849)
    (this show up randomly, not frequent)


    So what did I try so far?
    *I figured out that this was a Ddos attack, according to;
    This site: http://dev.bukkit.org/server-mods/nanoguard-anticheat/pages/nano-guard-front-end-defense/
    *I installed the plugin NanoGuard
    *This plugin prevented the crashes but still the server locks up and does not able anyone to join
    *I think the protection should be external because as md_5 said, Ddos attacks the hardware
    *Researched some sites about Ddos Protected VDS servers, but couldn't find a trust able host


    What am I looking for?
    Help! So, If anyone has had a similar issue and found a way to figure it out, please help me too. I could really use suggestions about hosting companies witch provide protections to this sort of attacks. I have a budget of 150$/month and I have around 250 online, so the price is important. Any other plugin or software suggestions for linux would be very very appreciated. Please Spigot, don't let some problematic guys take down my server for ever :(

    THANK YOU!
     
  2. Well for DDoS Protection, you will need to raise your budget past $150/month. I mean, you have 250 online average, that could pull in more than enough money for donations to cover it.

    http://www.JavaPipe.com This is a very good DDoS Protected Host.
     
  3. jeff142

    Benefactor

    i have had the [INFO] Disconnecting /202.51.226.140:47382: Protocol error
     
  4. Which plan do you suggest I buy there? Also do they protect against Layer7 Ddos, because this cannot be filtered easily because it does not use large bandwidth.

    Can you tell me what you did so that they disappeared?
     
  5. jeff142

    Benefactor

    waited a few hours :p
     
  6. Layer 7, also known as the Application layer, can not be protected like a simple UDP Firewall sadly. I personally had no clue RUDY would interfere with a minecraft server like this - ever. I have no idea, but I was just throwing it out there for when you get the Layer 7 Exploit fixed and they resort to UDP.
     
  7. Intelli

    Supporter

    Try disabling Netty for the lockup issue.

    This can be doing by adding the following JVM flag to your startup script:

    -Dorg.spigotmc.netty.disabled=true
     
  8. Hello, I had this exact same issue...

    "[INFO] Disconnecting RIQTQPCHCXIH [/120.132.132.119:2063]: Outdated client!
    [INFO] Disconnecting UXIVBSFLSOOR [/1.179.147.2:51325]: Outdated client!
    [INFO] Disconnecting VKMQVYVNKNLP [/1.63.18.22:54827]: Outdated client!
    [INFO] Disconnecting HFLSJSXFQDJB [/82.114.95.238:51150]: Outdated client!
    [INFO] Disconnecting FQOJSIYJNHUO [/221.215.155.38:48143]: Outdated client!
    [INFO] Disconnecting KHIPOBQLYUNI [/222.89.154.6:55125]: Outdated client!
    [INFO] Disconnecting MWFXFLPHBQBV [/200.196.51.130:39502]: Outdated client!"
     
  9. Well, what can I do then :( I could give you more info about the attack if you accept my skype request.

    Will try that now, if it works I'll write here.

    What did you do then?
     
  10. My host null rooted the attack when I reported it, have not seen it since.
     
  11. When I disabled netty, the Protocol errors turned into:
    Code (Text):
    [INFO] Connection reset
    [INFO] Connection reset
    [INFO] Connection reset
    [INFO] Connection reset
    [INFO] Disconnecting BDDNGBUIYUHK [/127.0.0.1:57726]: Outdated client!
    [INFO] Disconnecting AJXVDARKLSIP [/127.0.0.1:57727]: Outdated client!
    [INFO] Disconnecting WOONCPSISKIU [/127.0.0.1:57728]: Outdated client!
    [INFO] Connection reset
     
    I will test like this for a few hours.


    Which host was this? What does null rooted mean?
     
  12. I use serverpoint.com , and google null root.
     
  13. jeff142

    Benefactor


    This is form "WeepCraft" its a client, i dont know the point of it other then log spam.
     
  14. Did you mean null route?

    Well with netty enabled it used the crash or lockdown my server..
     
  15. jeff142

    Benefactor

    Yes he dose.
     
  16. So i disabled netty and this is what I get know:
    Code (Text):
    [INFO] Connection reset
    [INFO] Connection reset
    [INFO] Connection reset
    [INFO] Disconnecting AMGOYOUJKLCX [/127.0.0.1:46059]: Outdated client!
    [INFO] Connection reset
    [INFO] Disconnecting FCTJEMBWOXAF [/127.0.0.1:46061]: Outdated client!
    [INFO] Connection reset
    [INFO] Connection reset
    [INFO] Disconnecting DQAFGJSBQDFX [/127.0.0.1:46062]: Outdated client!
    [INFO] Connection reset
    [INFO] Disconnecting CBDXPZTFNHQK [/127.0.0.1:46063]: Outdated client!
    [INFO] Disconnecting ZCGYXRTJYOXE [/127.0.0.1:46064]: Outdated client!
    [INFO] Connection reset
    [INFO] Connection reset
    [INFO] Connection reset
    [INFO] Disconnecting WPSBEWGGMAJY [/127.0.0.1:46065]: Outdated client!
    [INFO] Disconnecting QYEDNJKWOSZG [/127.0.0.1:46066]: Outdated client!
    [INFO] Connection reset
    [INFO] Disconnecting RBDBBKDFGQKI [/127.0.0.1:46067]: Outdated client!
    [INFO] Disconnecting UAAATSDCWIDO [/127.0.0.1:46068]: Outdated client!
    [INFO] Connection reset
    [INFO] Connection reset

    Soon enough the Login Thread crashes and no one can logon anymore. Server seems offline but the players inside can continue playing:
    Code (Text):
    [SEVERE] Exception in thread "Listen thread"
    [SEVERE] java.lang.OutOfMemoryError: unable to create new native thread
    [SEVERE]    at java.lang.Thread.start0(Native Method)
    [SEVERE]    at java.lang.Thread.start(Thread.java:691)
    [SEVERE]    at net.minecraft.server.v1_4_R1.NetworkManager.<init>(NetworkManager.java:69)
    [SEVERE]    at net.minecraft.server.v1_4_R1.PendingConnection.<init>(PendingConnection.java:38)
    [SEVERE]    at net.minecraft.server.v1_4_R1.DedicatedServerConnectionThread.run(DedicatedServerConnectionThread.java:86)

    This is NOT a RAM ISSUE, here is the report (from essentials) durig crash:
    Code (Text):
    [INFO] Server Speed (TPS) = 20.0
    [INFO] Maximum memory: 28,638 MB
    [INFO] Allocated memory: 28,638 MB
    [INFO] Free memory: 26,242 MB
     

    I also have NanoGuard installed. I have filter-unsafe-ip turned on in bukkit.yml. I disabled netty. Tried everytning I can think of...

    PLEASE HELP, why is this happening?
     
  17. More crashes:
    Code (Text):
    2013-03-25 15:03:43 [SEVERE] Exception in thread "Thread-6"
    2013-03-25 15:03:43 [SEVERE] Exception in thread "Listen thread"
    2013-03-25 15:03:43 [SEVERE] java.lang.OutOfMemoryError: unable to create new native thread
    2013-03-25 15:03:43 [SEVERE]    at java.lang.Thread.start0(Native Method)
    2013-03-25 15:03:43 [SEVERE]    at java.lang.Thread.start(Thread.java:691)
    2013-03-25 15:03:43 [SEVERE]    at com.nanoguard.plugin.frontend.client.Client.<init>(Client.java:55)
    2013-03-25 15:03:43 [SEVERE]    at com.nanoguard.plugin.frontend.FrontEndModule.onClientConnected(FrontEndModule.java:86)
    2013-03-25 15:03:43 [SEVERE]    at com.nanoguard.plugin.frontend.server.ServerListener.onClientConnected(ServerListener.java:117)
    2013-03-25 15:03:43 [SEVERE]    at com.nanoguard.plugin.frontend.server.ListenThread.run(ListenThread.java:23)
    2013-03-25 15:03:43 [SEVERE] java.lang.OutOfMemoryError: unable to create new native thread
    2013-03-25 15:03:43 [SEVERE]    at java.lang.Thread.start0(Native Method)
    2013-03-25 15:03:43 [SEVERE]    at java.lang.Thread.start(Thread.java:691)
    2013-03-25 15:03:43 [SEVERE]    at net.minecraft.server.v1_4_R1.NetworkManager.<init>(NetworkManager.java:68)
    2013-03-25 15:03:43 [SEVERE]    at net.minecraft.server.v1_4_R1.PendingConnection.<init>(PendingConnection.java:38)
    2013-03-25 15:03:43 [SEVERE]    at net.minecraft.server.v1_4_R1.DedicatedServerConnectionThread.run(DedicatedServerConnectionThread.java:86)
    Code (Text):
    2013-03-25 15:05:05 [SEVERE] java.lang.OutOfMemoryError: unable to create new native thread
    2013-03-25 15:05:05 [SEVERE]    at java.lang.Thread.start0(Native Method)
    2013-03-25 15:05:05 [SEVERE]    at java.lang.Thread.start(Thread.java:691)
    2013-03-25 15:05:05 [SEVERE]    at net.minecraft.server.v1_4_R1.NetworkManager.d(NetworkManager.java:308)
    2013-03-25 15:05:05 [SEVERE]    at net.minecraft.server.v1_4_R1.PlayerConnection.disconnect(PlayerConnection.java:160)
    2013-03-25 15:05:05 [SEVERE]    at net.minecraft.server.v1_4_R1.PlayerList.r(PlayerList.java:952)
    2013-03-25 15:05:05 [SEVERE]    at net.minecraft.server.v1_4_R1.MinecraftServer.stop(MinecraftServer.java:368)
    2013-03-25 15:05:05 [SEVERE]    at net.minecraft.server.v1_4_R1.MinecraftServer.run(MinecraftServer.java:453)
    2013-03-25 15:05:05 [SEVERE]    at net.minecraft.server.v1_4_R1.ThreadServerApplication.run(SourceFile:849)

    But how do is stop it :(
     
  18. md_5

    Administrator Developer

    NanoGuard is actually causing these crashes.
    Also update to latest Spigot, we fixed weepcraft + netty.
     
    • Like Like x 1
    • Agree Agree x 1
  19. Intelli

    Supporter

    <3
     
  20. jeff142

    Benefactor

    Thats some vary good news! :D
    Got my server down a few times :(