Netty Protection

Advanced network-level protection against pipeline exploitation and connection attacks.

What is Netty Protection?

Netty is the networking library Minecraft uses to handle all incoming and outgoing packets. GAPE's Netty protection operates at the lowest network layer, monitoring the connection pipeline before packets even reach Minecraft's handlers.

Connection Monitoring

GAPE tracks every player connection and monitors for suspicious network behavior:

  • Pipeline Injection Detection - Detects when malicious clients attempt to inject custom handlers into the Netty pipeline to bypass server checks
  • Connection Rate Limiting - Prevents connection spam attacks where attackers rapidly connect and disconnect to consume server resources
  • Handshake Validation - Validates the initial connection handshake to ensure clients are connecting properly
  • Channel Monitoring - Tracks the health and state of each player's network channel

Protection Against Common Attacks

Pipeline Modification Attacks

Some exploit clients attempt to modify Minecraft's packet processing pipeline to:

  • Bypass anti-cheat checks
  • Inject malicious packet handlers
  • Intercept and modify packets before they're processed
  • Add custom channels for hidden communication

GAPE detects and prevents these modifications by monitoring the pipeline structure and blocking unauthorized changes.

Connection Exhaustion

Attackers may try to exhaust server resources by:

  • Opening hundreds of connections simultaneously
  • Connecting and disconnecting rapidly
  • Holding connections open without sending valid packets
  • Creating partial connections that never complete handshake

GAPE's connection rate limiting prevents these attacks by tracking connection attempts per IP address and enforcing configurable limits.

Configuration Options

Enable/Disable Protection

Toggle Netty-level protection on or off. When disabled, only packet-level checks will run.

Connection Limits

Set maximum connections allowed per IP address within a time window. Prevents connection spam attacks.

Pipeline Validation

Enable or disable strict pipeline structure validation. When enabled, any modifications to the expected pipeline will trigger alerts.

Async Processing

Run Netty checks asynchronously to avoid blocking the main server thread. Recommended for high-traffic servers.

Performance Impact

Netty protection operates at the network layer and has minimal performance overhead:

  • Per-Connection: ~100-200ns overhead during connection handshake
  • Runtime: Negligible impact during normal gameplay
  • Memory: Small tracking map per connected player (~50 bytes per connection)

When to Enable

Netty protection is recommended for:

  • Public servers that face frequent attack attempts
  • Servers with history of pipeline injection exploits
  • Large networks with multiple sub-servers
  • Competitive servers where exploit prevention is critical

Troubleshooting

False Positives

If legitimate players are being flagged:

  • Check if they're using modified clients or proxies
  • Verify connection limits aren't too strict for your network
  • Review logs to identify which specific check is triggering
  • Consider whitelisting trusted IPs if using a proxy/VPN

Performance Issues

If experiencing lag with Netty protection enabled:

  • Enable async processing mode
  • Increase connection limit time windows
  • Check for high connection churn rate (many connects/disconnects)
  • Review server hardware and network capacity
Note: Netty protection works in conjunction with packet-level checks. Disabling Netty protection will still leave packet validation active.