Crasher Detection Check

Multi-vector crash packet detection and prevention.

What It Does

Crasher Detection is GAPE's most comprehensive check, combining multiple detection methods to identify and block packets specifically crafted to crash the server. It analyzes packet patterns, structure, and content to catch both known and unknown crash exploits.

Why It's Critical

Server crashes are catastrophic because they:

• Immediately disconnect all players - Disrupts gameplay for everyone
• Require manual restart - Server stays down until admin intervenes
• May corrupt data - Sudden crashes can corrupt world saves or databases
• Create downtime - Server unavailable until restarted
• Damage reputation - Players lose trust in unstable servers

Detection Methods

Known Crash Patterns

GAPE maintains signatures of known crash exploits:

• Tab-complete crash patterns
• Sign/book NBT crash structures
• NaN/Infinity coordinate crashes
• Oversized packet crashes
• Malformed JSON crashes

Anomaly Detection

Identifies suspicious patterns that match crash characteristics:

• Deeply nested data: NBT or JSON nested 50+ levels
• Extreme values: Numbers outside reasonable ranges
• Malformed structures: Data that doesn't match expected format
• Unusual packet combinations: Sequences of packets that typically crash

Heuristic Analysis

Uses behavioral analysis to detect new crash exploits:

• Packets that deviate from normal gameplay patterns
• Rapid sequences of specific packet types
• Unusual packet ordering
• Packets with suspicious timing

Resource Consumption Prediction

Estimates how much resources a packet will consume:

• Processing time prediction
• Memory allocation estimates
• CPU cycle requirements
• Blocks packets likely to cause resource exhaustion

What It Protects Against

Classic Crash Exploits

• Tab-complete crashes: Malformed tab completion packets
• Book crashes: Books with extreme page counts or sizes
• Sign crashes: Signs with malformed NBT
• Coordinate crashes: Invalid position data

Parser Crashes

• JSON bombs: Deeply nested JSON that causes stack overflow
• NBT bombs: Malicious NBT structures
• UTF-8 exploits: Invalid encoding that crashes parsers
• Regex exploits: Strings that cause regex catastrophic backtracking

Resource Exhaustion

• Memory bombs: Packets requiring gigabytes of allocation
• CPU bombs: Packets requiring excessive computation
• Thread bombs: Packets that create thread deadlocks

Zero-Day Exploits

• Unknown crash exploits detected via anomaly detection
• New variants of known exploits
• Version-specific crash bugs

Multi-Layer Protection

Crasher Detection runs multiple layers sequentially:

1. Signature matching: Fast check against known patterns (~50ns)
2. Structure validation: Verify packet structure (~100ns)
3. Resource prediction: Estimate resource consumption (~150ns)
4. Heuristic analysis: Behavioral analysis (~200ns)

Total overhead: ~200ns per packet (other layers skip if signature matches)

Configuration Options

Detection Sensitivity

• High: Catches more crashes, slight increase in false positives
• Medium: Balanced (default)
• Low: Only obvious crash attempts

Signature Database

• Auto-update: Download latest crash signatures automatically
• Manual: Administrator controls signature updates
• Offline: Use bundled signatures only

Heuristics

• Enabled: Detect unknown crashes (recommended)
• Learning mode: Learn normal patterns without blocking
• Disabled: Only use signature matching

Violation Action

• Cancel packet: Always enable (default)
• Kick immediately: Recommended - crashers are always malicious
• IP ban: Automatically ban IP after crash attempt (optional)

Common Crash Vectors

Data Structure Bombs

NBT or JSON nested hundreds of levels deep, causing stack overflow when parsed.

Size Bombs

Packets claiming to contain terabytes of data, causing OutOfMemoryError.

Encoding Bombs

Invalid UTF-8 sequences or special Unicode that crashes text processing.

Division by Zero

Crafted packets that cause division by zero in calculation code.

Null Pointer Exploits

Packets with missing required fields that cause NullPointerException.

False Positives

Crasher Detection rarely causes false positives. If they occur:

• Lower sensitivity: Reduce to medium or low
• Disable heuristics temporarily: Use signatures only while investigating
• Whitelist players: Trusted players can bypass check
• Report to GAPE: Help improve detection accuracy

Signature Updates

GAPE's crash signature database is regularly updated:

• Frequency: Weekly automatic updates
• Source: Community-reported crashes and security research
• Validation: All signatures tested before release
• Opt-out: Can disable updates for offline servers

Performance Impact

• Signature check: ~50ns per packet
• Full analysis: ~200ns per packet (when signatures don't match)
• Memory: ~2MB for signature database
• Benefit: Prevents server crashes that cost 10-60 seconds of downtime

Zero-Day Protection

Heuristic analysis provides protection against unknown crashes:

• Learns normal packet patterns during first 24 hours
• Flags packets that significantly deviate from normal
• Blocks packets with characteristics similar to known crashes
• Doesn't require signature updates for new exploits

Reporting Crashes

If a crash packet gets through GAPE:

• Check violation logs for the specific packet
• Report to GAPE developers with packet details
• Signature will be added in next update
• All GAPE users protected within 7 days

Integration with Other Checks

Crasher Detection complements specific checks:

• Tab Complete: Specific tab-complete crash patterns
• Sign/Book Exploit: NBT-based crash detection
• NoCom: Invalid coordinate crashes
• Oversized Packet: Size-based crash prevention
• Crasher Detection: Catches everything else + unknown crashes

Best Practices

• Always keep enabled - This is the most critical check
• Use medium-high sensitivity - Better safe than crashed