Oversized Packet Check

Blocks packets exceeding maximum payload size limits.

What It Does

This check measures the size of each incoming packet and blocks any that exceed configured size limits. It's GAPE's fastest check, running before any other validation.

Why It's Needed

Oversized packets are dangerous because they:

  • Consume memory - Large packets allocate significant memory for processing
  • Cause lag - Processing megabyte-sized packets takes time
  • Crash servers - Extreme packet sizes can cause OutOfMemory errors
  • Exploit bugs - Some Minecraft bugs only trigger with large packets
  • Waste bandwidth - Network resources consumed by malicious data

How It Works

GAPE checks packet size at the lowest network level:

  • Packet size is measured before any processing
  • If size exceeds limit, packet is immediately dropped
  • No expensive parsing or validation occurs
  • Extremely fast check (~30ns overhead)

What It Protects Against

Memory Exhaustion

Attackers send massive packets (10MB+) to consume all available server memory.

Bandwidth Flooding

Flooding the server with huge packets to saturate network bandwidth and prevent legitimate traffic.

Parser Exploits

Some exploits only work with abnormally large packets that trigger buffer overflow or parsing bugs.

Resource Consumption

Processing large packets consumes CPU, memory, and network resources that should be used for gameplay.

Packet Size Limits

Default Limits by Packet Type

  • Chat packets: 32KB (256 characters × encoding overhead)
  • Sign packets: 4KB (4 lines × 96 chars + NBT)
  • Book packets: 512KB (100 pages with formatting)
  • Item packets: 64KB (complex item NBT)
  • Custom payload: 32KB (plugin messages)
  • Other packets: 2MB (global maximum)

Why These Limits

Limits are set slightly above vanilla Minecraft's maximum legitimate packet sizes to allow normal gameplay while blocking exploits.

Configuration Options

Global Maximum Size

Hard limit for any packet:

  • 2MB: Default, very lenient
  • 1MB: Strict protection
  • 4MB: Extra lenient (not recommended)

Per-Type Limits

Set different limits for different packet types based on their expected size.

Violation Action

  • Cancel packet: Always enable (default)
  • Kick on threshold: Recommended (5-10 violations)
  • Alert staff: Enable for monitoring

False Positives

Very rare with proper configuration. Potential causes:

  • Large plugin items: Some plugins create items with extensive NBT
  • Long books: Legitimate books near maximum size
  • Modded clients: Mods may send larger packets

Solution: Increase the specific packet type limit slightly.

Performance Impact

Oversized packet check is GAPE's fastest:

  • Per-packet: ~30ns (just reading packet size)
  • Memory: Zero additional memory
  • Runs first: Blocks packet before expensive checks run

Why This Runs First

Oversized packet check runs before all other checks because:

  • It's the fastest check (just a size comparison)
  • Prevents wasting CPU on validating malicious large packets
  • Protects against memory exhaustion immediately
  • No point validating a packet that will be rejected anyway

Real-World Attack Examples

50MB Chat Packet

Attacker sends a chat packet claiming to contain 50MB of text. Without protection, the server allocates 50MB of memory and tries to process it, causing a crash.

Bandwidth Flood

Attacker floods the server with 10MB packets at 100 packets/second = 1GB/s of malicious traffic, saturating the network.

Item NBT Bomb

Item packet with 10MB of NBT data. Processing this NBT causes the server to freeze for several seconds.

Comparison with Other Checks

  • vs. Rate Limit: Oversized checks packet size, Rate Limit checks packet count
  • vs. NBT Validation: Oversized is faster, NBT Validation is more thorough
  • vs. Packet Flood: Oversized checks individual packet size, Packet Flood checks total packet volume

Best Practices

  • Keep enabled on all servers - this is a critical first-line defense
  • Use default limits unless you have specific needs
  • Set violation threshold to 5-10 to allow for occasional legitimate large packets
  • Enable auto-kick to remove attackers quickly
  • Alert staff to track repeated attempts
  • Review logs to identify if limits are too strict
Tip: This is GAPE's most efficient check. It provides excellent protection with virtually zero performance cost.