ZenithAntiExploit
Packet-Level Anti-Exploit | Crash Protection | Paper 1.21.4+
Stop crash packets, NBT abuse, reach exploits and flood attacks the moment they hit the wire.
Before they reach gameplay logic. Before they reach your TPS.
How Does It Work?
1. PacketEvents intercepts every inbound packet on the Netty I/O thread, before any Bukkit gameplay logic runs.
2. ZenithAntiExploit dispatches the packet to 58 specialized checks across 14 categories — each tuned for one specific exploit class.
3. Hot-path data (
gameMode, eyeLocation, inventory) is pulled from a tick-refreshed snapshot held inside ZenithPlayer — never from Bukkit on the wrong thread.4. When a check flags, the packet is cancelled in flight, the violation level is bumped, and configurable punish-commands fire after the configured threshold.
Single-pass placeholder substitution, per-(player, check) punish cooldown, automatic per-quit state cleanup. The snapshot pattern eliminates
getNearbyEntities() race conditions on the Netty thread.Why ZenithAntiExploit
- 58 Packet-Level Checks · Per-Detection Tunable — Position crashers, NBT-depth attacks, NBT list-size bombs, JSON component depth, translate-args overflow, extra-array crash, recipe-id overflow, lectern overflow, plugin-message size / channel / register-flood, illegal enchantments, sustained speed hacks, and 45 more — every detection has its own
enable/cancel/min-vl/max-vl/punish-commands. - 14 Categories — POSITION, COMMAND, CHAT, BOOK, CREATIVE, WINDOW, ITEM, COMPONENT, WORLD, MOVEMENT, SIGN, NETWORK, ENTITY, FLOOD. Every modern attack vector covered.
- Snapshot-Based Thread Safety —
ZenithPlayerholds a tick-refreshed snapshot of every Bukkit field a check might need. No more Bukkit API calls from the Netty thread — every check runs against safe, consistent data. - Centralised Per-Player State — Every check stores its state inside
ZenithPlayer.checkStatekeyed by check name. Player quits → entire record is dropped in oneremove(). Zero leak over multi-day uptime. - min-vl + max-vl Per Check — Silence noisy single-hit lag spikes (set
min-vl: 2) without disabling the check. Punish only triggers atmax-vl. - Punish-Delay & Global VL Kick — Per-(player, check) cooldown prevents punish-spam from a single burst. Global VL ceiling kicks players whose total violations across every check cross a threshold.
- Per-Check Bypass Permission —
zenithantiexploit.bypass.<check-name>exempts a player from one specific check.zenithantiexploit.bypassexempts them from all of them. - Discord Webhook (Async) — Rich embed alerts dispatched via Bukkit's async pool. Zero TPS impact even when Discord is slow. Per-(check, player) cooldown to avoid notification spam.
- Hot-Path Config Caching — Every threshold (max-distance, max-pps, max-pages, etc.) is pulled into a
volatilefield on config reload. Hot path never pays forMaplookups. - Customisable Messages — Six placeholders (
{player},{check},{category},{vl},{max-vl},{info}) work in alert format, prefix, and every punish command. Single-pass regex substitution — injection-safe. - 1.21.4 + PLAYER_INPUT Ready — Validates both legacy
STEER_VEHICLE(NaN/Inf magnitudes) and modernPLAYER_INPUT(boolean contradictions). - kick-on-exception Defense — Crafted packets that trigger JVM exceptions inside check handlers cause an automatic precautionary kick instead of just being logged.
- VL Decay Scheduler — Configurable interval and step. Honest mistakes don't accumulate to a punish over hours of play.
Check Coverage
Crash Vectors
NBT-depth bombs · Component injection · Position NaN/Infinity · Lectern overflow · Recipe-id overflow · Plugin-message size · Empty-payload crash channels
Item Exploits
Creative dupe (stack > 64) · Illegal enchantments · Custom-name overflow · BlockEntityTag/EntityTag/SpawnData blocklist · resolved-key component injection
Reach & Movement
Place/dig distance · Interact-entity distance · Sustained horizontal speed · Per-packet 3D displacement · Vehicle-move teleport · Steer/Player-Input validation
Floods (11 rate limiters)
Packet rate · Click-window · Tab-complete · Use-item · Block-place · Creative-set-slot · Update-sign · Resource-pack-status · Entity-action · Book-edit · Command
Surface
Chat length · Command length / blacklist · Tab-complete length · Anvil rename · Sign-edit · Window-not-open · Window slot · Held-item slot · Pick-item creative-only
Crash Vectors
NBT-depth bombs · Component injection · Position NaN/Infinity · Lectern overflow · Recipe-id overflow · Plugin-message size · Empty-payload crash channels
Item Exploits
Creative dupe (stack > 64) · Illegal enchantments · Custom-name overflow · BlockEntityTag/EntityTag/SpawnData blocklist · resolved-key component injection
Reach & Movement
Place/dig distance · Interact-entity distance · Sustained horizontal speed · Per-packet 3D displacement · Vehicle-move teleport · Steer/Player-Input validation
Floods (11 rate limiters)
Packet rate · Click-window · Tab-complete · Use-item · Block-place · Creative-set-slot · Update-sign · Resource-pack-status · Entity-action · Book-edit · Command
Surface
Chat length · Command length / blacklist · Tab-complete length · Anvil rename · Sign-edit · Window-not-open · Window slot · Held-item slot · Pick-item creative-only
Every check is independently togglable. Every threshold is independently configurable. No more "set strictness 1-10" black box — you control exactly what gets flagged.
Commands & Permissions
Main command:
/zguard — aliases: zae, zenith, zenithae, antiexploit, zaex, antiex, zaeguard.
Code:
COMMAND PERMISSION DESCRIPTION
/zguard reload zenithantiexploit.admin Reload config + checks
/zguard info zenithantiexploit.admin List every registered check + state
/zguard menu zenithantiexploit.admin Open the in-game checks GUI (player only)
/zguard history [player] zenithantiexploit.admin View recent violation history
/zguard alerts zenithantiexploit.admin Toggle your alert subscription (player only)
/zguard vl <player> zenithantiexploit.admin Show a player's VL breakdown
/zguard reset <player> zenithantiexploit.admin Clear a player's violation counters
- zenithantiexploit.alerts Receive in-game flag alerts
- zenithantiexploit.bypass Bypass every check
- zenithantiexploit.bypass.<check-name> Bypass one specific checkRequirements
- Paper 1.21.4+ (or any Paper fork — Purpur, Pufferfish and Bukkit)
- Java 17 / 21 or higher
- PacketEvents (hard dependency — install via SpigotMC / Modrinth)
Folia is not yet supported — planned for a future release.
Performance
| Metric | Value |
|---|---|
| Per-packet overhead (cached config + snapshot) | < 5 ms average |
| Snapshot refresh cost (100 players) | ~2 000 ops/tick — negligible |
| Memory footprint (100 players, all checks) | < 5 MB resident |
| Webhook dispatch | Async (Bukkit pool) — zero TPS impact |
| Final jar size | ~540 KB (triple-obfuscated) |
| Boot time (license + 58 checks armed) | < 100 ms |
Configuration Preview
Code:
checks:
flying-speed:
enabled: true
cancel: true
alert: true
min-vl: 2 # silence one-off lag spikes
max-vl: 3 # punish at this VL
punish-commands:
- "kick {player} &cToo fast"
- "tempban {player} 1h Speed hack on {check} (vl {vl})"
options:
max-horizontal-speed: 50.0
teleport-grace-ms: 1500
general:
punish-delay-ms: 1000 # anti-spam between punish runs
global-vl-kick-threshold: -1 # auto-kick when total VL exceeds this
kick-on-exception: false # defensive kick if a handler throws
vl-decay-interval-seconds: 60
vl-decay-step: 1Stop crash exploits before they start.
ZenithAntiExploit closes every known packet exploit vector before they reach gameplay logic. Configurable down to the single VL. Tamper-resistant. Built for the 2026 packet meta.
Support: DISCORD
