Comments (27)
A few points to clarify:
- These bots are likely trying to use your Geyser instance to perform a denial of service attack on other servers
- We patched their ability to use your server in such an attack in build 478 and later
- Updating will not stop the connection requests, but it does prevent your server from being used in a denial of service attack
- From what we've seen, the connection attempts themselves are not happening at a fast enough rate to degrade Geyser performance
from geyser.
This vulnerability does not allow any form of RCE or shell access and is limited in scope to the UDP amplification of a specific packet.
from geyser.
I'm glad to see the exploit has been fixed and the situation wasn't worse than it already was, but this shows an issue with Geyser. Having no Spigot, Bukkit, Modrinth, Curseforge, or Jenkins builds, and having no in-game security update join notification leads to people not knowing about important security updates unless they're in the Discord or monitoring GitHub. We need a security update message in-game, and it really needs to be in-game because in this case a console message would have been lost in the void of thousands of console messages.
from geyser.
Hey, this is likely related to this issue: #4510
from geyser.
Hey, this is likely related to this issue: #4510
Thank you, after investigation, it is indeed a memory leak.
from geyser.
Are you still experiencing these connections?
from geyser.
Are you still experiencing these connections?
Let me test it
from geyser.
Are you still experiencing these connections?
The problem still exists
https://mclo.gs/dmWKAIv
Here's the full log, there's no output after this because it crashed, due to a memory leak.
from geyser.
Same issue, after 27-03-2024 in log I see this, many strange connections:
https://mclo.gs/eRprzRJ
Most of these IP addresses are from China (I have never played with Chinese, so this is suspisious)
After update Paper and Geyser — problem still exist
from geyser.
What type of server are you running Geyser from?
from geyser.
What type of server are you running Geyser from?
VPS
The VPS and IP are shared by multiple machines. I suspect that there may have been a protocol attack, which caused a geyser memory leak by exploiting some protocol vulnerabilities.
from geyser.
Same issue, after 27-03-2024 in log I see this, many strange connections: https://mclo.gs/eRprzRJ
Most of these IP addresses are from China (I have never played with Chinese, so this is suspisious)
After update Paper and Geyser — problem still exist
Through reverse analysis of these IPs, I found that they are all quite normal IPs.
I think the owners of these IPs should be controlled by some kind of computer virus.
from geyser.
Please supply a Geyser Dump if you are experiencing this issue.
from geyser.
Please supply a Geyser Dump if you are experiencing this issue.
When should I generate the dump, because geyser has crashed when there is a problem, but when there is no problem, geyser is normal.
from geyser.
It can be generated now.
from geyser.
It can be generated now.
OK
from geyser.
https://dump.geysermc.org/NTGq7SF8CEDpHOm7tAaT80R3memlpmOS
from geyser.
I can confirm this is happening to my server too.
Multiple chinese and french ips trying multiple connections to the 19132 port all the time!
I am running geyser on a dedicated server.
I updated to the latest geysermc today and the issue continues. Lots of chinese ips trying to connect.
from geyser.
But this is not a DOS attack, it is not fast, it just crashes suddenly.
from geyser.
A few points to clarify:
- These bots are likely trying to use your Geyser instance to perform a denial of service attack on other servers
- We patched their ability to use your server in such an attack in build 478 and later
- Updating will not stop the connection requests, but it does prevent your server from being used in a denial of service attack
- From what we've seen, the connection attempts themselves are not happening at a fast enough rate to degrade Geyser performance
If that is the case, nice to know. And thank you for the answer.
Although its a bit annoying, we can live with that for now.
from geyser.
If there are just a lot of useless connection messages, you can use a standalone version of geyser to distinguish the logs, but no matter which version, it will crash because of these meaningless connections.
The current temporary solution is to use the standalone version of geyser and then restart using the restart script, This has the smallest scope of influence.
from geyser.
I think it's the port scanner that's working, so connection messages are displayed.
from geyser.
But this is not a DOS attack, it is not fast, it just crashes suddenly.
Not a DOS targeting your server, rather an attack to use your server against other servers.
2 days ago they were able to use our server for an attack causing our hosting provider to lock down our server:
(12.34.567.890 is the censored ip of our server and 117.149.000.00 the censored IP of the victim host)
> ##############################################################################
> # DDoS-Attack detected from host 12.34.567.890 #
> ##############################################################################
>
>
> TIME SRC SRC-PORT -> DST DST-PORT SIZE PROT
> ----------------------------------------------------------------------------------------------------------
> 2024-04-02 18:53:16.909125621 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:16.956794377 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:17.081092488 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:17.171113701 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:17.245074428 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:17.395252685 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:17.511952494 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:17.588138315 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:17.746376813 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:17.830696936 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:17.942296107 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.038402743 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.130917562 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.241121899 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.353009159 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.454874064 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.569765722 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.639975739 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.717842269 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.779454884 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.837675492 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.91165837 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:18.965890428 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:19.022805872 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:19.122020673 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:19.200598697 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:19.30703348 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:19.420852356 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:19.527609482 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:19.645878278 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:19.742486357 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:19.844281339 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:19.98975894 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:20.094193626 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:20.200191136 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:20.320490446 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:20.4487414 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:20.563539881 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:20.69522451 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:20.787469125 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:20.945594147 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:21.080623923 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:21.216649354 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:21.336734036 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:21.440574401 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:21.586071519 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:21.709249368 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:21.828432333 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:22.043367128 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:22.147169992 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:22.277595886 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:22.474732937 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:22.624952483 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:22.762477248 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:22.884386282 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:22.962889554 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:23.086080107 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:23.19955065 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:23.287708427 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:23.389323897 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:23.48187765 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:23.569431748 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:23.718129778 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
> 2024-04-02 18:53:23.853424418 +0200 12.34.567.890 19132 -> 117.149.000.00 44876 134 UDP
I am a bit confused tho. As for now (2024-04-04T16:26UTC) i can't find any notification that there has been a security patch to a vulnerability that is being actively exploited.
Not on the geyserMC website, neither via Console wehn we do a server startup, version check or here in Github.
Was there an Information or PSA anywhere so this problem could've been avoided?
from geyser.
In addition to my previous comment i want to ask one thing regarding the vulnerability:
Was it only possible to redirect traffic using the vicitm (our server) as a proxy or is there a chanche of a takeover caused by the vulnerability?
In addition to the latest xz utils vulnerability (CVE-2024-3094) and a case of a takeover, this would mean our team would have to inform our hosting provider to isolate the server and discuss further steps.
from geyser.
We did an everyone ping in our Discord to notify people of the update. Geyser does not self update, though people have made unofficial plugins and docker containers that do so on restart. This vulnerability is not related to the xz utils vulnerability in any way and is limited in scope to UDP amplification of a specific packet.
from geyser.
We did an everyone ping in our Discord to notify people of the update. Geyser does not self update, though people have made unofficial plugins and docker containers that do so on restart. This vulnerability is not related to the xz utils vulnerability in any way and is limited in scope to UDP amplification of a specific packet.
Ah ok so joining the discord is mandatory i see welp my bad here.
So theres no way an attacker could've gained root acces to our server exploiting the geyser vulnerability if i understood correct?
from geyser.
Thank you for the feedback. We're exploring our options for this.
from geyser.
Related Issues (20)
- Players keep disconnecting HOT 2
- hide tooltip item data component not working on geyser side HOT 12
- 1.20.6 Bug HOT 2
- Custom Mappings Add Leather Recolor Option HOT 1
- Setting blockstate on java server doesn't update on geyser until chunk reloads HOT 9
- Downstream packet error HOT 4
- ClientboundLevelParticlesPacket not fully read. HOT 4
- Downstream packet error! Packet "ClientboundExplodePacket" not fully read.
- Geyser Fabric geyser-fabric-2.2.3-SNAPSHOT+build.563 the floodgate prefix disappeared HOT 2
- mobs attack animations are not working/not displaying HOT 1
- lucky icon effect does not show up the icon at all. HOT 2
- Combat translation HOT 4
- Could not find class HOT 3
- Very Confused. Get outdated message. HOT 1
- Sending to many packets HOT 4
- ArrayIndexOutOfBoundsException HOT 3
- Compatibility issues with multiple NIC device HOT 3
- DeadChest Spawning below Y=0 in the void for Bedrock players HOT 1
- Problem opening a menu on CosmeticsCore HOT 1
- Server unreachable when use-proxy-protocol is true HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from geyser.