Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Geyser can be used in UDP Reflect DDOS Attack (?) #4558

Closed
MossCG opened this issue Apr 10, 2024 · 5 comments
Closed

Geyser can be used in UDP Reflect DDOS Attack (?) #4558

MossCG opened this issue Apr 10, 2024 · 5 comments

Comments

@MossCG
Copy link

MossCG commented Apr 10, 2024

Describe the bug


About 2024.03, we found our server has some abnormal upload traffic on port 19132 with udp protocol.
VK_7JD %MI0YILB4QM_MM8T
with only one player or even no player in game, geyser create an upload traffic up to 50Mbps(My server only has 50Mbps upload bandwidth)
we capture packets(lan1, 19132 port only) by ikuai and found geyser send an 148-length packet after an connection with a cracy speed.
image
The version of geyser is 2.2.0-SNAPSHOT (git-master-acf24d4) / Build 268

Then we update to 2.2.2-SNAPSHOT (git-master-c9ca4c8)
it seems temporary fix this issue, at least we didnt found geyser create so many upload traffic .
But we receive a report from data center hosting provider, they tell us my server still has outgoing attack on port 19132
we check our router and found geyser will still create connection with other server after an connection(52-length per packet)
image

about 26 minecraft servers(java) running on this vps, only geyser has this problem
geyser.jar was verified same as we download from geysermc
we turn off the port 19132‘s forwarding on router, and problem disappear temporary

maybe geyser can be used in UDP reflect attack?

To Reproduce

its hard to reproduce, because i cant get what attacker send to my geyser server
but this problem really appear on my server

Expected behaviour

try to verify IP of source UDP connection?
idn

Screenshots / Videos

Packet capture result.zip
this is packet capture result

Server Version and Plugins

in description

Geyser Dump

No response

Geyser Version

2.2.2-SNAPSHOT (git-master-c9ca4c8)

Minecraft: Bedrock Edition Device/Version

No response

Additional Context

No response

@Camotoy
Copy link
Member

Camotoy commented Apr 10, 2024

Please try this PR: #4554

@MossCG
Copy link
Author

MossCG commented Apr 10, 2024

Please try this PR: #4554

image
tried
still has some connection on router's backend
i have no idea if it fixed
Test version- 1.zip

@MossCG
Copy link
Author

MossCG commented Apr 10, 2024

Please try this PR: #4554

image tried still has some connection on router's backend i have no idea if it fixed Test version- 1.zip

image
router backend

@jhqwqmc
Copy link

jhqwqmc commented Apr 10, 2024

#4527
Already reported and fixed
已经反馈并且修复了
As one of the first victims, I quickly realized something was wrong.
作为第一批受害者,也是很快就发现不对劲了

@onebeastchris
Copy link
Member

Closing as this issue is already resolved.
The linked open PR with cookies would suppress spoofed connection attempts further, but Geyser builds 478 and upwards are patched. Thanks for reporting!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants