Bungeecord Attack (RAM Filled)

[Areeb]

Hello,

I’m seeking for help regarding a bungee exploit on our network.

Basically what happens is the attacker floods the Proxy and the RAM fills up to the max memory assigned.

So we had 4GB RAM assigned and it filled this all up causing the proxy to crash. Regardless of how much was assigned, it will eventually fill up. (essentially a constant loop crash)

The only stacktrace generated and is spammed with is:
NativeIoException: readAddress(..) failed: Connection reset by peer

Plugin list:
ajQueuePlus
BungeePluginManager
CleanMotD
CommandControl
CraftingStore
EnhancedBungeeList
ExploitFixer
LuckPerms
Maintenance
NickAPIBungee
nuvotifier
SkinsRestorer

Any help with this much appreciated.

Thank you

 

[Areeb]

Stacktrace

 

[DarkOakHD]

Hello,

I’m seeking for help regarding a bungee exploit on our network.

Basically what happens is the attacker floods the Proxy and the RAM fills up to the max memory assigned.

So we had 4GB RAM assigned and it filled this all up causing the proxy to crash. Regardless of how much was assigned, it will eventually fill up. (essentially a constant loop crash)

The only stacktrace generated and is spammed with is:
NativeIoException: readAddress(..) failed: Connection reset by peer

Plugin list:
ajQueuePlus
BungeePluginManager
CleanMotD
CommandControl
CraftingStore
EnhancedBungeeList
ExploitFixer
LuckPerms
Maintenance
NickAPIBungee
nuvotifier
SkinsRestorer

Any help with this much appreciated.

Thank you

You should try using XCord, for me it fixed everything. You can remove ExploitFixer on BungeeCord and on every Spigot server once you installed it.
Also try adding Aikar's startup flags on BungeeCord.

 

[Areeb]

You should try using XCord, for me it fixed everything. You can remove ExploitFixer on BungeeCord and on every Spigot server once you installed it.
Also try adding Aikar's startup flags on BungeeCord.

We're trying XCord right now[DOUBLEPOST=1618307682][/DOUBLEPOST]Update: Didn't work unfortunately.

 

[DarkOakHD]

We're trying XCord right now[DOUBLEPOST=1618307682][/DOUBLEPOST]Update: Didn't work unfortunately.

XCord should run under Root, not from a Panel. + enabling IPSet blacklisting and the shared global blacklist

 

[Areeb]

Is this a Stress attack? if it is have you got tcpshield or any ddos protection on?[DOUBLEPOST=1618306828][/DOUBLEPOST]
up[DOUBLEPOST=1618306973][/DOUBLEPOST]Also discord easier for me to talk S1iceAbleZues#0001

We had TCPShield but it cause high pings and wasn't as great so we don't use it anymore[DOUBLEPOST=1618307917][/DOUBLEPOST]

How is CPU Usage during the attack?[DOUBLEPOST=1618307773][/DOUBLEPOST]
Why the hell would anyone give a bungeecord fork root permission?

Around 150%

 

[DarkOakHD]

How is CPU Usage during the attack?[DOUBLEPOST=1618307773][/DOUBLEPOST]
Why the hell would anyone give a bungeecord fork root permission?
Edit: Just read the resource page it says this is optional to enable its built-in IPTables there is no reason to give a bungeecord fork root permissions, setup your own IPTables.

It's because in order to execute IPSet and IPTables commands from an application.

 

[bob7l]

We're trying XCord right now[DOUBLEPOST=1618307682][/DOUBLEPOST]Update: Didn't work unfortunately.

Make sure you enable "anti-ddos" in the xcord config.

If you're still experiencing the attack, contact me on the XCord discord. There's multiple ways to fix an attack like this (Or potential memory leak?)

 

[Areeb]

Memory leaks come from plugins? correct is there something else that can cause it? corrupted world chunks maybe?

We've tried removing all bungee plugins (we thought it might be a memory leak), still fills up quick.

 

[bob7l]

This isn't a ddos attack or not a conventional one, more likely a netty exploit which can be considered a ddos attack but mitigation is a decent amount different as it is low bandwith in comparison. This is why I've asked for CPU Usage. This is assuming its not just a memory leak.

There's no "conventional" ddos attack, it's an extremely broad term. Service is being denied through an attack, therefor it's a DoS attack.

As for why you need root. Bungee runs on layer 7, therefor you can only blacklist on layer 7. Whereas with ROOT access, you can blacklist an address on kernel level. That way it's denied instantly, and not even sent a reject. If you're stuck blocking on layer 7, the server will be easily saturated by any massive attack even if you disconnect them instantly. It's entirely optional though, although comes highly recommended

 

[Areeb]

Update: We enabled the DDoS toggle on XCord, and the server seems to be working now.

XCord seems to be doing the job, thanks bob7l and the rest of you all who helped me with this frustrating issue.