Command Spam Check

Detects and prevents command flooding that can lag the server.

What It Does

This check monitors how frequently players execute commands. Commands are more expensive to process than normal packets because they involve parsing, permission checks, and plugin execution.

Why Commands Are Expensive

Processing a command involves:

  • String parsing: Breaking command into command + arguments
  • Permission checks: Verifying player has permission
  • Tab completion: Generating suggestion lists
  • Plugin execution: Running plugin command handlers
  • Database queries: Many commands query databases
  • Network calls: Some commands make API requests

Each command can take 1-100ms to process, compared to 0.001-0.01ms for regular packets.

The Attack

Attackers spam commands to cause lag:

  • Execute 50+ commands per second
  • Use computationally expensive commands (like /plugins, /tps)
  • Trigger database-heavy commands repeatedly
  • Spam commands that generate output to all online players

How It Works

GAPE tracks command execution rate:

  • Count commands executed by each player
  • Track within sliding time window
  • If rate exceeds limit, increase violation level
  • Cancel excess commands
  • Optionally filter specific expensive commands

What It Protects Against

Performance Degradation

Command spam consumes server CPU, causing lag for all players.

Database Overload

Commands that query databases can overwhelm the database server when spammed.

Plugin Exploits

Some plugins have bugs that only appear when commands are executed rapidly.

Information Gathering

Spamming commands like /plugins, /version, or /list to gather server information.

Configuration Options

Command Rate Limit

Maximum commands per time window:

  • 3 per second: Strict, normal players rarely exceed this
  • 5 per second: Balanced (default)
  • 10 per second: Lenient

Time Window

  • 1 second: Strict
  • 3 seconds: Balanced (default)
  • 5 seconds: Lenient

Expensive Command List

Commands that count double or have stricter limits:

  • /plugins - Lists all plugins
  • /tps - Calculates server performance
  • /timings - Performance profiling
  • /debug - Debug information

Whitelist Commands

Commands that don't count toward the limit:

  • /help - Help menu (usually cached)
  • /spawn - Teleport to spawn
  • /home - Teleport home

Violation Threshold

  • 3: Strict
  • 5: Balanced (default)
  • 10: Lenient

Command Categories

Cheap Commands (0.1-1ms)

  • /help (if cached)
  • /spawn
  • /home
  • /tpa

Normal Commands (1-10ms)

  • /give
  • /tp
  • /gamemode
  • /tell

Expensive Commands (10-100ms)

  • /plugins
  • /tps
  • /timings
  • /eco top

Very Expensive Commands (100+ms)

  • /baltop
  • /stats
  • /leaderboard
  • Custom plugin commands with database queries

Weighted Command Limits

GAPE can weight commands based on cost:

  • Cheap commands: Count as 1
  • Normal commands: Count as 1
  • Expensive commands: Count as 2-3
  • Very expensive: Count as 5-10

This allows more cheap commands while limiting expensive ones.

False Positives

Legitimate scenarios that may trigger this check:

  • Command macros: Players using command shortcuts or macros
  • Accidental spam: Holding Enter key accidentally
  • Script testing: Server admins testing command sequences
  • Plugin automation: Plugins executing commands on behalf of players

Solution: Increase limit slightly or whitelist specific commands.

Real-World Examples

Info Command Spam

Attacker spams /plugins and /version 50 times per second to gather server information and cause lag.

Economy Command Abuse

Player repeatedly executes /baltop or /eco top to overload the economy plugin's database queries.

Broadcast Command Flood

Player with broadcast permission spams commands that send messages to all players, disrupting gameplay.

Performance Impact

  • Check overhead: ~50ns per command
  • Memory: ~50 bytes per player
  • Benefit: Prevents 10-100ms per spammed command

The performance savings from blocking command spam far outweigh the check's overhead.

Integration with Chat Limits

Commands and chat are separate limits:

  • Chat: 3-5 messages per second
  • Commands: 3-5 commands per second
  • Total: Player can send 6-10 chat+command packets per second

This allows normal conversation while preventing command abuse.

Server-Specific Configuration

Public Servers

Strict limits recommended:

  • 3-5 commands per second
  • Mark /plugins, /version as expensive
  • Low violation threshold

Private/Whitelisted Servers

More lenient:

  • 10 commands per second
  • Higher violation threshold
  • Fewer expensive command restrictions

Creative/Build Servers

Moderate limits:

  • 5-7 commands per second (builders use commands frequently)
  • Whitelist WorldEdit commands if applicable

Best Practices

  • Start with 5 commands per second limit
  • Mark resource-intensive commands as expensive
  • Whitelist frequently-used navigation commands
  • Monitor logs to identify which commands are spammed
  • Use weighted limits for better granularity
  • Enable alerts for repeated violations
  • Coordinate with plugin developers about command performance
    • Tip: Command spam is less common than packet spam, but more damaging when it occurs. A single spammed expensive command can cause more lag than 1000 movement packets.