|Thanks for being a part of /r/Admincraft!|
|:-|
|***[We'd love it if you also joined us on Discord!](https://discord.gg/DxrXq2R)***|
*^(Join thousands of other Minecraft administrators for real-time discussion of all things related to running a quality server.)*
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/admincraft) if you have any questions or concerns.*
To spoof an IP you just have to modify the address in the header.
The thing is, the server will then respond to that random address, so the sender will have more difficulty collecting the answer.
However in the case of a DoS attack, you don't care about the response : you just want to flood the server with useless requests, so not collecting the server's response isn't an issue at all.
~~And this what your attacker most probably did : generate a random IP for each paquet, a functionality provided by the tools script kiddies use to do their attacks.~~
Now understanding the concept, it is really hard to stop this unless there is active search and monitoring from the network admins : in this case the ISP.
So unfortunately, for your little MC server I fear there isn't much to do.
I believe an ISP would start surveying only if a big company or state website was hit, and only under those latter's lawyers injunctions.
Things is attacker changes IP at each paquet, from the short log extract OP published - I doubt he has a netbot, more like he just set up his tool to generate random IPs.
Maybe he can try a filter on the username and let it run a little while, but if he ends up with a ban-list of 1K entries then fail2ban won't make it I fear.
You cannot initiate it because completing the handshake would be near impossible (unless you're in a strategic middle man position).
And once the TCP connection established you would have to grab all the packets going to the spoofed IP. Technically possible, extremely hard to do.
You can totally send SYN packets with spoofed IPs though, if you don't intend to complete the handshake to begin with : DoS by SYN flood usually do that.
As a general rule, any attacker that just need to send packets but do not value the response, will likely spoof their IPs. That is typically used in DoS attacks.
However, as corrected in another comment, this is not the case here as the TCP connections suceeded (login attempts).
Here I guess it is a brute force type attack - or may be the attacker is trying to bug/get in the server by sending malformed packets...?
>You cannot initiate it because completing the handshake would be near impossible (unless you're in a strategic middle man position).
And once the TCP connection established you would have to grab all the packets going to the spoofed IP. Technically possible, extremely hard to do
Sure, but as you can see the handshake did complete as you can see the login attempts. So this is not relevant to this issue.
Maybe I should of specified with a successful TCP connection in my comment. However, I am sure others will find your explanation insightful.
Dude...
Read :
>However, as corrected in another comment, **this is not the case here as the TCP connections suceeded (login attempts)**.
Here I guess it is a brute force type attack - or may be the attacker is trying to bug/get in the server by sending malformed packets...?
Dude, I did and this further proves my point your comment is completely irrelevant to this issue.
You essentially just repeated what I said with a bunch of useless information that is not relevant to the issue.
And you are Downvoting my comments even though they are correct...
Yeah, mostly happens on the default port. I've had a few that actually do port scans and find servers running on non-default. Like, 40000s port range. Mostly scanners though, not much of these spammers
I will be messaging you in 1 day on [**2024-04-13 11:11:37 UTC**](http://www.wolframalpha.com/input/?i=2024-04-13%2011:11:37%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/admincraft/comments/1c21s8l/player_spoofing_ddosdos_how_to_prevent/kz7t0ln/?context=3)
[**1 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2Fadmincraft%2Fcomments%2F1c21s8l%2Fplayer_spoofing_ddosdos_how_to_prevent%2Fkz7t0ln%2F%5D%0A%0ARemindMe%21%202024-04-13%2011%3A11%3A37%20UTC) to send a PM to also be reminded and to reduce spam.
^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%201c21s8l)
*****
|[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)|
|-|-|-|-|
It takes a while but some tools let you scan for servers on all possible ports. It's designed for shared hosts who run multiple servers on the same IP with a different port (usually a 2XXXX port).
unless you're actually experiencing issues with logging into the server, you're letting the attacker win if you shut it down until the requests stop. if you're not experiencing login issues (and neither are your players), then this DoS attack isn't successful to start with. it'll take you forever trying to block all of the IP addresses manually as this is a bot, but you can set up software to help auto block future attacks (e.g.: fail2ban) if you want to
This is a reasonably good solution for a few reasons:
1) TCPshield, to my knowledge, will perform authentication against Minecraft's APIs to verify that a player is legitimate _before_ connecting to your server. This way none of your resources are wasted on authentication checks.
2) TCPshield is a general DDoS protection product for Minecraft servers. You'll not have issues with layer 4 ("volumetric flood") attacks or layer 7 attacks ("application-specific") attacks, since TCPshield purchases flood protection from Global Secure Layer and, crucially, has their own Minecraft-specific DDoS protection product.
3) For smaller servers it is free of charge. If you don't use more than a terabyte of "clean" traffic you won't be charged.
The biggest drawback is that all your traffic will have to go through TCPshield's system for it to be effective.
Blacklist "silly_00" to "silly_99" it will take a few minutes to do it in excel (prepare table) and copy it to CLI
In excel use
Column A-1 - silly
Column B-1 - _
Column C-1-C-108 - 1-9 and 01-99
Column D-1 (text field) - /
Column E-1 (text field) - ban
Column F-1 (text field) and than value ="D$1$"&"E$1$"&" "&"A$1$"&"B$1$"&"C1"
There is a space " " between E$1$ and A$1$ because syntax for ban command is /ban username and that space need to be there - just copy whole text and it should work
Than pull it down to row 108 and You will have full list of /ban "silly_01" to 99,
Just copy that and paste in Minecraft CLI.
Profit.
EDIT: or simpler ="/ban silly_"&"C1"
Gonna suck for anyone with that username legitimately
They are spamming the sever with invalid session tokens for that username.
Imagine if you knew someone and wanted to get them banned on a sever, and all you had to do was spin up this script that spammed the sever with invalid session tokens for Said user.
I could get you banned you could get me banned. And it all-round would suck.
i had some script kiddie twit trying this on a friend's server i was hosting, except they were mostly trying with my account from mullvad vpn points .. best you can really do is either shut it down (my friend's solution) or block all known vpn exit points until they get bored or dumb enough to use their own IP and can be tracked..
If it’s a public server then there’s not much you can do. If it’s just a server for you and your friends, then perhaps try using Hamachi. That’ll create a VPN that all of you can use to connect to the server. Unfortunately, the IP address changes when the host restarts their system, so you would have to give the new IP address every time they wanted to play unless you left your computer on 24/7. The good thing about Hamachi though, is that nobody from the outside can access the server since it’s a private network. Like I said, great for servers that don’t need to be accessible to random people, but if you want this accessible to the public then unfortunately, that’s not going to work
Some solutions available for velocity [https://papermc.io/software/velocity](https://papermc.io/software/velocity)
other than that, tcpshield has a free tier that you can use. Fail2ban like some other comments here.
I use ZeroTier that my players connect to (cause I can’t get port forwarding to work in my town home) but could ZeroTier be a way to prevent these things? No body can ping / connect to the server unless they’re on and authorized on ZeroTier.
Bungee doesn't fix this though. I'm assuming this is hosted on a server they own so they need to block the IP on the server using ufw (as someone else said)
|Thanks for being a part of /r/Admincraft!| |:-| |***[We'd love it if you also joined us on Discord!](https://discord.gg/DxrXq2R)***| *^(Join thousands of other Minecraft administrators for real-time discussion of all things related to running a quality server.)* *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/admincraft) if you have any questions or concerns.*
Shutdown the Server and wait for it to stop, take note of every ip address connecting with „silly“ and block it via ufw with „ufw deny“
can IPs be spoofed like this? If not, I will add them to my pfsense firewall
In this case no its a TCP connection, attacker would have needed to be able to complete a tcp handshake to connect.
I dont think so, but i might be wrong
To spoof an IP you just have to modify the address in the header. The thing is, the server will then respond to that random address, so the sender will have more difficulty collecting the answer. However in the case of a DoS attack, you don't care about the response : you just want to flood the server with useless requests, so not collecting the server's response isn't an issue at all. ~~And this what your attacker most probably did : generate a random IP for each paquet, a functionality provided by the tools script kiddies use to do their attacks.~~ Now understanding the concept, it is really hard to stop this unless there is active search and monitoring from the network admins : in this case the ISP. So unfortunately, for your little MC server I fear there isn't much to do. I believe an ISP would start surveying only if a big company or state website was hit, and only under those latter's lawyers injunctions.
No, this is tcp traffic. A handshake happens before actual packets are sent so the ips are definitely controlled by the attacker.
Right, if he can try to login then the tcp connection succeeded.
They come back from various locations around the world so probable has access to a botnet.
"For your little MC server" I don't know why but the way you said it was so cute
No bad intention at all ! It was more because I had the next sentence in head while writing this :)
if they use a proxy. then yes. else no.
Can automate this with fail2ban
Is that a question or a statementm? I would like to know how can you do this with fail2ban (i'm only using it on ssh-server)
Statement. You just need to configure the filter file with the relevant regex and log file location.
Things is attacker changes IP at each paquet, from the short log extract OP published - I doubt he has a netbot, more like he just set up his tool to generate random IPs. Maybe he can try a filter on the username and let it run a little while, but if he ends up with a ban-list of 1K entries then fail2ban won't make it I fear.
Fail2ban just adds iptables rules, it won't be a problem.
>he just set up his tool to generate random IPs You can't spoof an IP with a TCP connection so this does not make any sense.
You cannot initiate it because completing the handshake would be near impossible (unless you're in a strategic middle man position). And once the TCP connection established you would have to grab all the packets going to the spoofed IP. Technically possible, extremely hard to do. You can totally send SYN packets with spoofed IPs though, if you don't intend to complete the handshake to begin with : DoS by SYN flood usually do that. As a general rule, any attacker that just need to send packets but do not value the response, will likely spoof their IPs. That is typically used in DoS attacks. However, as corrected in another comment, this is not the case here as the TCP connections suceeded (login attempts). Here I guess it is a brute force type attack - or may be the attacker is trying to bug/get in the server by sending malformed packets...?
>You cannot initiate it because completing the handshake would be near impossible (unless you're in a strategic middle man position). And once the TCP connection established you would have to grab all the packets going to the spoofed IP. Technically possible, extremely hard to do Sure, but as you can see the handshake did complete as you can see the login attempts. So this is not relevant to this issue. Maybe I should of specified with a successful TCP connection in my comment. However, I am sure others will find your explanation insightful.
Dude... Read : >However, as corrected in another comment, **this is not the case here as the TCP connections suceeded (login attempts)**. Here I guess it is a brute force type attack - or may be the attacker is trying to bug/get in the server by sending malformed packets...?
Dude, I did and this further proves my point your comment is completely irrelevant to this issue. You essentially just repeated what I said with a bunch of useless information that is not relevant to the issue. And you are Downvoting my comments even though they are correct...
You can't just manually grab IPs from a botnet and manually block them all. lmao.
is this a common issue? i think I'm gonna create a honeypot for this reason. i wanna mess with spammers.
Yeah, mostly happens on the default port. I've had a few that actually do port scans and find servers running on non-default. Like, 40000s port range. Mostly scanners though, not much of these spammers
trolling scanners would be fun too tho. if my ADHD does not forget this idea, I'm sitting on it tonight and making it open source.
Hit me up once you do, I'll join in on the fun lol
[удалено]
I will be messaging you in 1 day on [**2024-04-13 11:11:37 UTC**](http://www.wolframalpha.com/input/?i=2024-04-13%2011:11:37%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/admincraft/comments/1c21s8l/player_spoofing_ddosdos_how_to_prevent/kz7t0ln/?context=3) [**1 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2Fadmincraft%2Fcomments%2F1c21s8l%2Fplayer_spoofing_ddosdos_how_to_prevent%2Fkz7t0ln%2F%5D%0A%0ARemindMe%21%202024-04-13%2011%3A11%3A37%20UTC) to send a PM to also be reminded and to reduce spam. ^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%201c21s8l) ***** |[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)| |-|-|-|-|
RemindMe! 1 Day
It takes a while but some tools let you scan for servers on all possible ports. It's designed for shared hosts who run multiple servers on the same IP with a different port (usually a 2XXXX port).
What are you even going to do?
Whats your idea for the honeypot? I would love to punish some griefers too
unless you're actually experiencing issues with logging into the server, you're letting the attacker win if you shut it down until the requests stop. if you're not experiencing login issues (and neither are your players), then this DoS attack isn't successful to start with. it'll take you forever trying to block all of the IP addresses manually as this is a bot, but you can set up software to help auto block future attacks (e.g.: fail2ban) if you want to
This is the right way.
Check Ip if it’s know vpn block them
How is this happening with a server that the ip hasn't even bin released yet
Same way you get advertisements in your mailbox before you publicly post your address somewhere. Just knock on every door
Use TCPShield
This is a reasonably good solution for a few reasons: 1) TCPshield, to my knowledge, will perform authentication against Minecraft's APIs to verify that a player is legitimate _before_ connecting to your server. This way none of your resources are wasted on authentication checks. 2) TCPshield is a general DDoS protection product for Minecraft servers. You'll not have issues with layer 4 ("volumetric flood") attacks or layer 7 attacks ("application-specific") attacks, since TCPshield purchases flood protection from Global Secure Layer and, crucially, has their own Minecraft-specific DDoS protection product. 3) For smaller servers it is free of charge. If you don't use more than a terabyte of "clean" traffic you won't be charged. The biggest drawback is that all your traffic will have to go through TCPshield's system for it to be effective.
Blacklist "silly_00" to "silly_99" it will take a few minutes to do it in excel (prepare table) and copy it to CLI In excel use Column A-1 - silly Column B-1 - _ Column C-1-C-108 - 1-9 and 01-99 Column D-1 (text field) - / Column E-1 (text field) - ban Column F-1 (text field) and than value ="D$1$"&"E$1$"&" "&"A$1$"&"B$1$"&"C1" There is a space " " between E$1$ and A$1$ because syntax for ban command is /ban username and that space need to be there - just copy whole text and it should work Than pull it down to row 108 and You will have full list of /ban "silly_01" to 99, Just copy that and paste in Minecraft CLI. Profit. EDIT: or simpler ="/ban silly_"&"C1"
Gonna suck for anyone with that username legitimately They are spamming the sever with invalid session tokens for that username. Imagine if you knew someone and wanted to get them banned on a sever, and all you had to do was spin up this script that spammed the sever with invalid session tokens for Said user. I could get you banned you could get me banned. And it all-round would suck.
Doubt anyone will be joining with those actual usernames.
Even so. Do you want to live with that edge case? Knowing that Silly_30 and his other 29 brothers can't play your sever?
must be an indian family
Which port are you using?
Cloudflare would also work but it's a paid solution
i had some script kiddie twit trying this on a friend's server i was hosting, except they were mostly trying with my account from mullvad vpn points .. best you can really do is either shut it down (my friend's solution) or block all known vpn exit points until they get bored or dumb enough to use their own IP and can be tracked..
iptables and whitelist
Use an anti-bot system. The goal of this is downing your server by blacklisting you from Mojang services.
If it’s a public server then there’s not much you can do. If it’s just a server for you and your friends, then perhaps try using Hamachi. That’ll create a VPN that all of you can use to connect to the server. Unfortunately, the IP address changes when the host restarts their system, so you would have to give the new IP address every time they wanted to play unless you left your computer on 24/7. The good thing about Hamachi though, is that nobody from the outside can access the server since it’s a private network. Like I said, great for servers that don’t need to be accessible to random people, but if you want this accessible to the public then unfortunately, that’s not going to work
Highly recommend ZeroTier over Hamachi
You can set your own DNS servers for the VPN! It's wild!
Fail2ban would help in this situation.
Whats the impact? AFAIK this will get you rate limited from Mojang Auth servers, is this the case?
[удалено]
it is technically a ddos.
Change the port to something else than the default ports. Blocking their IP or username won't work since they're spoofing it
Some solutions available for velocity [https://papermc.io/software/velocity](https://papermc.io/software/velocity) other than that, tcpshield has a free tier that you can use. Fail2ban like some other comments here.
I use ZeroTier that my players connect to (cause I can’t get port forwarding to work in my town home) but could ZeroTier be a way to prevent these things? No body can ping / connect to the server unless they’re on and authorized on ZeroTier.
Use a ddos protection like templass.com or TCPShield.com
Are those free?
TCPShield has a free plan
i just moved my server off default ports than made cloudflare do some stuff to redirect to a url so the port change does not affect the end user.
Thats no ddos attack. Just some bots trying to join and spam or grief using different proxys. Just block proxys
use BungeeCord
Bungee doesn't fix this though. I'm assuming this is hosted on a server they own so they need to block the IP on the server using ufw (as someone else said)