Improve protection against spam attacks

nickuc · nickuc · commit d362a77b44a9 · 2024-08-12T21:20:37.000-03:00
diff --git a/bungeeguard-backend/src/main/java/me/lucko/bungeeguard/backend/BungeeGuardBackend.java b/bungeeguard-backend/src/main/java/me/lucko/bungeeguard/backend/BungeeGuardBackend.java
@@ -12,4 +12,6 @@ public interface BungeeGuardBackend {
     Path getConfigPath();
 
     void reloadConfig();
+
+    boolean isVerbose();
 }
diff --git a/bungeeguard-backend/src/main/java/me/lucko/bungeeguard/backend/listener/AbstractHandshakeListener.java b/bungeeguard-backend/src/main/java/me/lucko/bungeeguard/backend/listener/AbstractHandshakeListener.java
@@ -28,6 +28,8 @@
 import me.lucko.bungeeguard.backend.BungeeGuardBackend;
 import me.lucko.bungeeguard.backend.TokenStore;
 
+import java.util.concurrent.atomic.AtomicLong;
+
 /**
  * An abstract handshake listener.
  */
@@ -38,7 +40,7 @@ public abstract class AbstractHandshakeListener {
     protected final String noDataKickMessage;
     protected final String invalidTokenKickMessage;
 
-    private long throttle;
+    private final AtomicLong throttle = new AtomicLong();
 
     protected AbstractHandshakeListener(BungeeGuardBackend plugin, TokenStore tokenStore) {
         this.plugin = plugin;
@@ -47,13 +49,8 @@ protected AbstractHandshakeListener(BungeeGuardBackend plugin, TokenStore tokenS
         this.invalidTokenKickMessage = plugin.getKickMessage("invalid-token-kick-message");
     }
 
-    public boolean isThrottled() {
-        long cur = System.currentTimeMillis();
-        if (cur - this.throttle >= 1000L) {
-            this.throttle = cur;
-            return false;
-        } else {
-            return true;
-        }
+    public boolean isRateLimitAllowed() {
+        long current = System.currentTimeMillis();
+        return current - this.throttle.getAndSet(current) >= 1000;
     }
 }
diff --git a/bungeeguard-spigot/src/main/java/me/lucko/bungeeguard/spigot/BungeeCordHandshake.java b/bungeeguard-spigot/src/main/java/me/lucko/bungeeguard/spigot/BungeeCordHandshake.java
@@ -90,7 +90,12 @@ private static BungeeCordHandshake decodeAndVerify0(String handshake, TokenStore
             readIndex = 1;
         }
         String socketAddressHostname = split[readIndex++];
-        UUID uniqueId = UUID.fromString(split[readIndex++].replaceFirst("(\\w{8})(\\w{4})(\\w{4})(\\w{4})(\\w{12})", "$1-$2-$3-$4-$5"));
+        UUID uniqueId;
+        try {
+            uniqueId = UUID.fromString(split[readIndex++].replaceFirst("(\\w{8})(\\w{4})(\\w{4})(\\w{4})(\\w{12})", "$1-$2-$3-$4-$5"));
+        } catch (NumberFormatException e) {
+            return new Fail(Fail.Reason.INVALID_UNIQUE_ID, encodeBase64(handshake));
+        }
 
         String connectionDescription = uniqueId + " @ " + encodeBase64(socketAddressHostname);
 
@@ -108,7 +113,7 @@ private static BungeeCordHandshake decodeAndVerify0(String handshake, TokenStore
             JsonObject property = iterator.next();
             if (property.get(PROPERTY_NAME_KEY).getAsString().equals(BUNGEEGUARD_TOKEN_NAME)) {
                 if (bungeeGuardToken != null) {
-                    return new Fail(Fail.Reason.INCORRECT_TOKEN, connectionDescription + " - more than one token");
+                    return new Fail(Fail.Reason.DUPLICATED_TOKEN, connectionDescription);
                 }
 
                 bungeeGuardToken = property.get(PROPERTY_VALUE_KEY).getAsString();
@@ -195,8 +200,7 @@ public String describeConnection() {
         }
 
         public enum Reason {
-            INVALID_HANDSHAKE, NO_TOKEN, INCORRECT_TOKEN
+            INVALID_HANDSHAKE, INVALID_UNIQUE_ID, NO_TOKEN, DUPLICATED_TOKEN, INCORRECT_TOKEN
         }
     }
-
 }
diff --git a/bungeeguard-spigot/src/main/java/me/lucko/bungeeguard/spigot/BungeeGuardBackendPlugin.java b/bungeeguard-spigot/src/main/java/me/lucko/bungeeguard/spigot/BungeeGuardBackendPlugin.java
@@ -139,6 +139,11 @@ public Path getConfigPath() {
         return new File(getDataFolder(), "config.yml").toPath();
     }
 
+    @Override
+    public boolean isVerbose() {
+        return getConfig().getBoolean("verbose", false);
+    }
+
     private boolean isBungeeEnabled() {
         YamlConfiguration spigotConfig = getServer().spigot().getSpigotConfig();
         return spigotConfig.getBoolean("settings.bungeecord") || spigotConfig.getBoolean("spigot.settings.bungeecord");
@@ -173,5 +178,4 @@ private static boolean classExists(String className) {
             return false;
         }
     }
-
 }
diff --git a/bungeeguard-spigot/src/main/java/me/lucko/bungeeguard/spigot/listener/PaperHandshakeListener.java b/bungeeguard-spigot/src/main/java/me/lucko/bungeeguard/spigot/listener/PaperHandshakeListener.java
@@ -44,6 +44,7 @@
 public class PaperHandshakeListener extends AbstractHandshakeListener implements Listener {
 
     private static final Method getOriginalSocketAddressHostname;
+
     static {
         Method method = null;
         try {
@@ -69,17 +70,17 @@ public void onHandshake(PlayerHandshakeEvent e) {
             BungeeCordHandshake.Fail fail = (BungeeCordHandshake.Fail) decoded;
 
             // if the logging is not throttled, we send the error message
-            if (!isThrottled()) {
-                String ip = "";
+            if (isRateLimitAllowed()) {
+                String ip = "null";
                 if (getOriginalSocketAddressHostname != null) {
                     try {
-                        ip = getOriginalSocketAddressHostname.invoke(e) + " - ";
+                        ip = (String) getOriginalSocketAddressHostname.invoke(e);
                     } catch (ReflectiveOperationException ex) {
                         this.logger.log(Level.SEVERE, "Unable to get original address", ex);
                     }
                 }
 
-                this.logger.warning("Denying connection from " + ip + fail.describeConnection() + " - reason: " + fail.reason().name());
+                this.logger.warning("Denying connection from " + ip + " - " + (plugin.isVerbose() ? fail.describeConnection() : "") + " - reason: " + fail.reason().name());
             }
 
             if (fail.reason() == BungeeCordHandshake.Fail.Reason.INCORRECT_TOKEN) {
diff --git a/bungeeguard-spigot/src/main/java/me/lucko/bungeeguard/spigot/listener/ProtocolHandshakeListener.java b/bungeeguard-spigot/src/main/java/me/lucko/bungeeguard/spigot/listener/ProtocolHandshakeListener.java
@@ -54,12 +54,16 @@ public ProtocolHandshakeListener(BungeeGuardBackend plugin, TokenStore tokenStor
     }
 
     public void registerAdapter(Plugin plugin) {
-        ProtocolLibrary.getProtocolManager().addPacketListener(new Adapter(plugin));
+        ProtocolLibrary.getProtocolManager().addPacketListener(new Adapter(plugin, super.plugin));
     }
 
     private final class Adapter extends PacketAdapter {
-        Adapter(Plugin plugin) {
+
+        private final BungeeGuardBackend backend;
+
+        Adapter(Plugin plugin, BungeeGuardBackend backend) {
             super(plugin, ListenerPriority.LOWEST, PacketType.Handshake.Client.SET_PROTOCOL);
+            this.backend = backend;
         }
 
         @Override
@@ -80,7 +84,7 @@ public void onPacketReceiving(PacketEvent event) {
                 Player player = event.getPlayer();
 
                 // if the logging is not throttled, we send the error message
-                if (!isThrottled()) {
+                if (isRateLimitAllowed()) {
                     String ip = "null";
                     InetSocketAddress address = player.getAddress();
                     if (address != null) {
@@ -89,7 +93,7 @@ public void onPacketReceiving(PacketEvent event) {
                             ip = BungeeCordHandshake.encodeBase64(ip);
                         }
                     }
-                    this.plugin.getLogger().warning("Denying connection from " + ip + " - " + fail.describeConnection() + " - reason: " + fail.reason().name());
+                    this.plugin.getLogger().warning("Denying connection from " + ip + " - " + (backend.isVerbose() ? fail.describeConnection() : "") + " - reason: " + fail.reason().name());
                 }
 
                 String kickMessage;
diff --git a/bungeeguard-spigot/src/main/resources/config.yml b/bungeeguard-spigot/src/main/resources/config.yml
@@ -26,4 +26,8 @@ invalid-token-kick-message:
   - '&cThe token sent by proxy server is not allowed by this backend server.'
   - ''
   - '§7More information:'
-  - '&bdocs.nickuc.com/bungeeguard'
+  - '&bdocs.nickuc.com/bungeeguard'
+
+# Defines if BungeeGuard should detail errors in the console.
+# Useful for debugging purposes.
+verbose: false
diff --git a/bungeeguard-sponge/src/main/java/me/lucko/bungeeguard/sponge/BungeeGuardSponge.java b/bungeeguard-sponge/src/main/java/me/lucko/bungeeguard/sponge/BungeeGuardSponge.java
@@ -170,4 +170,9 @@ public void reloadConfig() {
             throw new RuntimeException("Unable to load config", e);
         }
     }
+
+    @Override
+    public boolean isVerbose() {
+        return this.config.getNode("verbose").getBoolean(false);
+    }
 }
diff --git a/bungeeguard-sponge/src/main/java/me/lucko/bungeeguard/sponge/HandshakeListener.java b/bungeeguard-sponge/src/main/java/me/lucko/bungeeguard/sponge/HandshakeListener.java
@@ -66,7 +66,7 @@ public void onClientAuth(ClientConnectionEvent.Auth e) {
 
         if (bungeeGuardToken == null || !this.tokenStore.isAllowed(bungeeGuardToken)) {
             // if the logging is not throttled, we send the error message
-            if (!isThrottled()) {
+            if (isRateLimitAllowed()) {
                 String connectionDescription = profile.getUniqueId() + " @ " + e.getConnection().getAddress().getHostString();
                 String reason = bungeeGuardToken == null ? "No Token" : "Invalid token";
 
diff --git a/bungeeguard-sponge/src/main/resources/bungeeguard.conf b/bungeeguard-sponge/src/main/resources/bungeeguard.conf
@@ -30,3 +30,7 @@ invalid-token-kick-message = [
     "§7More information:",
     "&bdocs.nickuc.com/bungeeguard",
 ]
+
+# Defines if BungeeGuard should detail errors in the console.
+# Useful for debugging purposes.
+verbose = false

Original file line number	Diff line number	Diff line change
`@@ -12,4 +12,6 @@ public interface BungeeGuardBackend {`
`12`	`12`	`Path getConfigPath();`
`13`	`13`
`14`	`14`	`void reloadConfig();`
	`15`	`+`
	`16`	`+ boolean isVerbose();`
`15`	`17`	`}`
Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,12 @@ private static BungeeCordHandshake decodeAndVerify0(String handshake, TokenStore`
`90`	`90`	`readIndex = 1;`
`91`	`91`	`}`
`92`	`92`	`String socketAddressHostname = split[readIndex++];`
`93`		`- UUID uniqueId = UUID.fromString(split[readIndex++].replaceFirst("(\\w{8})(\\w{4})(\\w{4})(\\w{4})(\\w{12})", "$1-$2-$3-$4-$5"));`
	`93`	`+ UUID uniqueId;`
	`94`	`+ try {`
	`95`	`+ uniqueId = UUID.fromString(split[readIndex++].replaceFirst("(\\w{8})(\\w{4})(\\w{4})(\\w{4})(\\w{12})", "$1-$2-$3-$4-$5"));`
	`96`	`+ } catch (NumberFormatException e) {`
	`97`	`+ return new Fail(Fail.Reason.INVALID_UNIQUE_ID, encodeBase64(handshake));`
	`98`	`+ }`
`94`	`99`
`95`	`100`	`String connectionDescription = uniqueId + " @ " + encodeBase64(socketAddressHostname);`
`96`	`101`
`@@ -108,7 +113,7 @@ private static BungeeCordHandshake decodeAndVerify0(String handshake, TokenStore`
`108`	`113`	`JsonObject property = iterator.next();`
`109`	`114`	`if (property.get(PROPERTY_NAME_KEY).getAsString().equals(BUNGEEGUARD_TOKEN_NAME)) {`
`110`	`115`	`if (bungeeGuardToken != null) {`
`111`		`- return new Fail(Fail.Reason.INCORRECT_TOKEN, connectionDescription + " - more than one token");`
	`116`	`+ return new Fail(Fail.Reason.DUPLICATED_TOKEN, connectionDescription);`
`112`	`117`	`}`
`113`	`118`
`114`	`119`	`bungeeGuardToken = property.get(PROPERTY_VALUE_KEY).getAsString();`
`@@ -195,8 +200,7 @@ public String describeConnection() {`
`195`	`200`	`}`
`196`	`201`
`197`	`202`	`public enum Reason {`
`198`		`- INVALID_HANDSHAKE, NO_TOKEN, INCORRECT_TOKEN`
	`203`	`+ INVALID_HANDSHAKE, INVALID_UNIQUE_ID, NO_TOKEN, DUPLICATED_TOKEN, INCORRECT_TOKEN`
`199`	`204`	`}`
`200`	`205`	`}`
`201`		`-`
`202`	`206`	`}`
Original file line number	Diff line number	Diff line change
`@@ -139,6 +139,11 @@ public Path getConfigPath() {`
`139`	`139`	`return new File(getDataFolder(), "config.yml").toPath();`
`140`	`140`	`}`
`141`	`141`
	`142`	`+ @Override`
	`143`	`+ public boolean isVerbose() {`
	`144`	`+ return getConfig().getBoolean("verbose", false);`
	`145`	`+ }`
	`146`	`+`
`142`	`147`	`private boolean isBungeeEnabled() {`
`143`	`148`	`YamlConfiguration spigotConfig = getServer().spigot().getSpigotConfig();`
`144`	`149`	`return spigotConfig.getBoolean("settings.bungeecord") \|\| spigotConfig.getBoolean("spigot.settings.bungeecord");`
`@@ -173,5 +178,4 @@ private static boolean classExists(String className) {`
`173`	`178`	`return false;`
`174`	`179`	`}`
`175`	`180`	`}`
`176`		`-`
`177`	`181`	`}`
Original file line number	Diff line number	Diff line change
`@@ -54,12 +54,16 @@ public ProtocolHandshakeListener(BungeeGuardBackend plugin, TokenStore tokenStor`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`public void registerAdapter(Plugin plugin) {`
`57`		`- ProtocolLibrary.getProtocolManager().addPacketListener(new Adapter(plugin));`
	`57`	`+ ProtocolLibrary.getProtocolManager().addPacketListener(new Adapter(plugin, super.plugin));`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`private final class Adapter extends PacketAdapter {`
`61`		`- Adapter(Plugin plugin) {`
	`61`	`+`
	`62`	`+ private final BungeeGuardBackend backend;`
	`63`	`+`
	`64`	`+ Adapter(Plugin plugin, BungeeGuardBackend backend) {`
`62`	`65`	`super(plugin, ListenerPriority.LOWEST, PacketType.Handshake.Client.SET_PROTOCOL);`
	`66`	`+ this.backend = backend;`
`63`	`67`	`}`
`64`	`68`
`65`	`69`	`@Override`
`@@ -80,7 +84,7 @@ public void onPacketReceiving(PacketEvent event) {`
`80`	`84`	`Player player = event.getPlayer();`
`81`	`85`
`82`	`86`	`// if the logging is not throttled, we send the error message`
`83`		`- if (!isThrottled()) {`
	`87`	`+ if (isRateLimitAllowed()) {`
`84`	`88`	`String ip = "null";`
`85`	`89`	`InetSocketAddress address = player.getAddress();`
`86`	`90`	`if (address != null) {`
`@@ -89,7 +93,7 @@ public void onPacketReceiving(PacketEvent event) {`
`89`	`93`	`ip = BungeeCordHandshake.encodeBase64(ip);`
`90`	`94`	`}`
`91`	`95`	`}`
`92`		`- this.plugin.getLogger().warning("Denying connection from " + ip + " - " + fail.describeConnection() + " - reason: " + fail.reason().name());`
	`96`	`+ this.plugin.getLogger().warning("Denying connection from " + ip + " - " + (backend.isVerbose() ? fail.describeConnection() : "") + " - reason: " + fail.reason().name());`
`93`	`97`	`}`
`94`	`98`
`95`	`99`	`String kickMessage;`
Original file line number	Diff line number	Diff line change
`@@ -170,4 +170,9 @@ public void reloadConfig() {`
`170`	`170`	`throw new RuntimeException("Unable to load config", e);`
`171`	`171`	`}`
`172`	`172`	`}`
	`173`	`+`
	`174`	`+ @Override`
	`175`	`+ public boolean isVerbose() {`
	`176`	`+ return this.config.getNode("verbose").getBoolean(false);`
	`177`	`+ }`
`173`	`178`	`}`
Original file line number	Diff line number	Diff line change
`@@ -30,3 +30,7 @@ invalid-token-kick-message = [`
`30`	`30`	`"§7More information:",`
`31`	`31`	`"&bdocs.nickuc.com/bungeeguard",`
`32`	`32`	`]`
	`33`	`+`
	`34`	`+# Defines if BungeeGuard should detail errors in the console.`
	`35`	`+# Useful for debugging purposes.`
	`36`	`+verbose = false`