Nocom – 2b2t Minecraft server exploit using Monte-Carlo localization

This is a pretty clever exploit. I played on this server off and on between 2013-2016. The server is/was an acquired taste. The biggest challenge was to escape the the hellscape around spawn, once you get past that it was pretty quiet, I don’t ever recall running into anyone else unless I went back to the nether hub near spawn. It was really fun exploring old builds, the griefed ones were like old ruins. I liked to read the signs that were left behind and leave my own. I used to have use sone map mod and would note all the neat things I came across.

I admit that I also used an x-ray mod to detect things like chests, because why not? I wonder if any of my bases were ever discovered. Most of my ill gotten gains were hidden away in a bottom of a mineshaft in the middle of nowhere to help avoid detection.

Once the queue started started to get long I stopped playing.

In Minecraft you can dig blocks.

When you click to dig a block, it just calls the RPC method CPacketPlayerDigging with the coordinates of the block.

The server replies "Block of type ABC is too far".

So, of course, you now know that at (X,Y,Z) you have a block of type "ABC".

This RPC has no rate-limiting, so yes, you can know the whole map.

The fact that you can dig any block on the map, seems like a shortcut taken by developers of the server to save time or resources.

I'd even say it's almost intended behaviour.

Tech details: https://2b2t.miraheze.org/wiki/Nocom

Thank you. I had no idea what was going on. This is actually pretty neat once you explain it.

I second the first video, it's extremely well done, and as someone who never played minecraft I almost understood what happened.

"2b2t ,the oldest anarchy server in Minecraft" - FitMC (every video)

I actually helped convince Sato in Feb 2020 to call it "automation period"; some other ideas were "age of fragmentation" (referring to how group alleigances were becoming split, with players in more than one group at a time) or "age of the algorithm" (referring to the YouTube algorithm promoting the server).

I'm curious what kind of tooling you developed as part of this process. It seems, from the linked YouTube video, like individuals were actively monitoring the data produced from the exfiltration attack. How did you go from the raw data to producing something that people could usefully monitor?

Hello! I'm the original owner of the 'BibleBot' account/bot. Glad to see you put it to good use :-)

Why did it take them so long to discover the issue when you and another group were practically DoSing them every second for years on end (and they kept lowering the packet limit)? Didn't they ever wonder what it was all for or what the outgoing packets contained?

Really impressive project! How did you learn all the things that you needed to make this? Are there any particular books or resources you would recommend? Also, how much did this entire project cost? I'd imagine processing that much data and storing it wasn't cheap.

This whole project is incredibly impressive, good job!

How much time would you say went into this both from yourself and the others? Probably quite a lot over the years? (because again, it's very impressive)

I'm curious how you developed the "very cute headless" Minecraft client. Did you use the Forge build tools? How did you go about ripping out the rendering/keyboard stuff?

Tracking was completely broken by any teleporation, right? Such as enderpearl loading or a respawn at the bed.

Also, how many login sessions would it take to associate a track with an account?

Why did you do all this? I mean.. it's a ton of engineering, for what? For fun?

Did you use some form of Bayesian statistics to choose which chunk to query?

How accurate a map did you end up with?

what's your take on university as opposed to learning by doing? how do they complement each other?

One reason might be that this only existed in Paper, which is a downstream fork of Spigot, which is (sort of) a downstream fork of CraftBukkit, which is a set of patches to the official minecraft server.

Another reason might be that this only does anything if there are many players on the server, and you hit a region loaded by someone else. Might be difficult to think of that. You'd never come across it if testing in singleplayer.

But in essence I agree, it's surprising that no one else found and reported this years ago!

For most multiplayer MC servers, this sort of exploit isn't worth the time because there are commands available to players to find nearby players and their bases (so they can check out each other's builds or participate in the local economy.)

What confuses _me_ about this is that nothing seems to say what it _is_. It's like there's some giant practical joke I'm not a part of, and the README.md just throws off heatmaps and wants me to watch a 24-minute YouTube video. Is everybody supposed to be a Minecraft expert? Is a simple paragraph of what this is all about (at the very beginning of the file) too much? :-)

Yes, so Minecraft is exactly that. Any "I have mined this block" further than 6 blocks away from the player is ignored. The problem is that on a laggy server, an honest client can end up sending this, if the server lags out for more than 6 blocks of walking your player forward. So, Paper added a patch to undo these disallowed mines, setting them back to what they were. But this happened at any radius, and could be used to lag the server by making it generate any region. Then they patched it again and made it only reply if it were in a loaded chunk. The mistake was that it replies if the coordinate is in a chunk loaded by any player, not just by your player. :) See https://news.ycombinator.com/item?id=29620852

That is not correct, this patch is meant to prevent block break desync, which is when your client and the server disagree about what blocks are placed in the world. If the server discards/ignores anything your client sends, the server MUST reply telling the client to undo that action, otherwise desync occurs. (e.g. "i have broken this block" -> the client is too far to reach that block -> the server has to reply with "set that block back to air").

The original version of this patch https://github.com/PaperMC/Paper/blob/d934dcc1e3e8b1ac34acef... fixed that desync, but it allowed you to force the server to generate an unlimited amount of chunks, which is an expensive operation.

You could only find players using this patch after it was modified to only reply if the chunk was already loaded. But at no point in time was this patch able to reveal if a chunk had been previously generated or not, that is a separate unrelated issue in which Spigot will reliably send a partial chunk on initial generation, but never for a previously generated chunk.

Take a look at https://2b2t.miraheze.org/wiki/Nocom

good to see some other civcraft alumni on HN. What an experience...

Thanks!