[Guide] Getting rid of spambots

Discussion in 'Systems Administration' started by stefatorus, Aug 20, 2018.

  1. Spambots have always been a recurring problem for offline-mode servers, often forcing server owners to pay ransoms in order to get rid of such attacks. Doing this will not only incentivize the attackers to keep doing this behavior but also help them get better equipment and thus make you be dependent on paying the ransom.

    This tutorial is meant to address this issue with a new solution on how to solve botting without affecting your real players. It will also provide a Proof Of concept firewall that helped me mitigate an attack without affecting old players or players from "safe" areas.


    Situation Analysis
    Spambots work by having false players connect in mass to your server, and as such starve your system resources. They use proxies in order to offer a distributed attack source and making mitigation as hard as possible. This means that bots often come from areas that you aren't targeting for players. They may also use potential bypasses to your defenses such as pinging the server before joining it.

    Current Solutions
    Current solutions of filtering bots from real players have been difficult, often being done by using plugins that were working bungee-side. This would work fine for smaller attacks but will prove ineffective against large attacks that are starving the system's resources. Some plugins like AntiBotDeluxe have tried combining a plugin with an iptables setup, but have mixed results due to bad implementation that may even lock up your machine more than it was in the past (which occurred to the network I work for).

    Pros:
    • Easy to install on shared hosts and ok for smaller attacks.
    • The server owner barely has to configure anything and is a good approach for new owners.
    • Such solution providers often help their clients with advice that will help them mitigate their attacks.
    Cons:
    • Barely helps when an attack is so large it brings your bungeecord instances to a halt because all the processing is actually done on your Minecraft server.
    • Have a worse performance because filtering takes processing power


    My Solution
    In my opinion, the best way to get rid of spambots is to remove them before they even reach your server. This practice is common in DDoS filtering, where special firewalls are put in place to stop the malicious connection from even entering your server's network; but hasn't really been used in Minecraft spambot attacks.
    What I propose is using a Firewall-Plugin combo which will slowly starve the attacker's resources by simply limiting the number of new connections per second and blacklisting suspicious players that have managed to pass through. The normal players will be able to join because they are in a country that is whitelisted by your firewall or because they have played in the past, and have been added to the whitelist. Thus, the attack will become smaller and smaller as time passes, and the attacker will stop having an interest in your server due to his attack barely affecting your server.


    Pros:

    • Very effective in removing the bot threat from your server without affecting your players.
    • All the processing is done outside the server, and as such won't lead to your bungeecord instance being starved of processing power.
    • Extremely scalable for large networks and extremely resource-efficient.
    Cons:
    • Needs system-wide access to be able to get implemented.
    • Necessitates system administration experience in order to be properly configured.


    Proof of Concept

    A proof of concept for this kind of bot filtering is available here, as an open-source project.
    https://github.com/Stefatorus/StefAntiBot


    Visual Representation

    [​IMG]


     
    #1 stefatorus, Aug 20, 2018
    Last edited: Aug 20, 2018
    • Like Like x 2
    • Useful Useful x 1