SpigotVIP XCord: Best Performance, Anti-bot, Anti-Exploit (Spigot+Bungee) Bungeecord fork (1.7-1.19+) 1.37

Compatible operating systems

1. Windows
2. MacOS
3. Linux

Language

1. Java

TagsTagsanti-bot antibot antiexploit bot bungeecord exploit travertine
Note: XCord requires a license to run properly. You can obtain a license from joining the official XCord channel and verifying your ownership (Insure non-friend DM's are enabled). Verification is automated, and quick!

Description
XCord is an advanced Bungeecord fork designed for high performance, low CPU usage, and packed with a powerful anti-exploit/anti-bot (Possibly the best on the market). Contains a large collection of advanced anti-bot checks, powerful kernel level anti--Redacted-, layer 7 anti--Redacted-, and various checks to stop Bungee and Spigot exploits with ease. No longer will you have to rely on cheap hacky protection to stop attacks...

Features

• Various optimizations, highly optimized native packet compression, reduced CPU load, native encryption. Guaranteed to decrease CPU usage. Highest performance gains on mc-market, along with lowest latency possible
• Built in ping-spam protection
• Built in powerful anti-bot designed to withstand large attacks, while keeping the Bungeecord at a low CPU level
• Configurable compression strength (Native only)
• 1.7-1.17.1+ protocol support
• Anti-bungee/TCP exploit system: Blocks many exploits that aren't even publicly known. (No known bypasses)
• Anti-spigot/mc-server exploit system: This bungeecord comes with an optional module that blocks Jessica/Payload/Spigot-Cracker/NBT-bomb/spam exploits. There's no known bypass, and it's extremely lightweight.
• Blacklist system (With IPSet support)
• Non-interfering (No fake lobbies, captcha's, ect. Users wont know) [Unless you choose to enable more advanced gravity/collision checks]
• Designed with performance, and false positives being the main objective.
• Option to filter logs ONLY during bot attacks
• /xcordreload command for reloading the config without having to reboot the entire network
• Option to use a high performance Anti-VPN system (Requires API(s) IPHub.info or proxycheck.io)
• Around ~160+ configuration lines (xcord.yml)
• Packet batching system to increase network stability, and decrease native load
• Optimized network thread handling/creation
• Option to only pass connections deemed as legitimate through plugins (Like JPremium, SkinRestorer, etc) using the passthrough option. Will also only pass non-bot users through Mojang's API, preventing your server from being ratelimited!
• Powerful kernel level country blocker option. VERY useful against large -Redacted- DoS attacks
• Optimized DNS resolving capability (+NIO) to insure high performance multi-thread performance, and prevent pointless DNS querying

Anti-Bot
Modern minecraft server's are plagued by increasingly more and more powerful botting programs designed to down the server in seconds. XCord however provides a powerful anti-bot solution programmed directly into the roots of Bungeecord with the ability to migrate these attacks without hindering the performance of your server.

Currently, it consists of multiple fixes and checks all of which can be configured, and disabled if you choose to

Checks

• Connection speed: Prevents bots from pinging, or connecting too rapidly
• Login speed: Prevents bots from logging in rapidly from multiple accounts
• Slow-Bot: Checks whether a connection is acting like a bot. Designed to catch slow bots, and Non-Minecraft clients.
• Chat-Check: Checks for /register or /login bots
• DNS-Check
• Linux-Check: Checks whether a connection potentially came from a Linux computer
• Random-name: At the moment, only detects whether they're using a certain pattern of randomized name. I plan on expanding on this module in the future
• Proxy check: Checks whether a client potentially came from a proxy during an attack using network logic instead of a database (Therefor, super fast)
• Verification check: Verifies whether the connection is coming from an actual minecraft client. Very powerful check with more to come in the future (If there's bypasses)
• Advanced Fake Lobby Check: Tests whether the client responds to collision, gravity, etc, in a virtual lobby before allowing them into the lobby server
• Latency check: Block connections exceeding a configured limit. Very useful for blocking slower proxies, or exhaustion attacks
• Timeout check: Blacklists connections who are abusing the minecraft protocol by spamming handshakes without ever completing them. This is already fixed by XCord, but having this additional check allows some extra protection against certain bots.
• Name Pattern: Detects names that are similar. Highly configurable
• Passthrough: (Disabled by default) When a new player joins, passes them through ALL of XCord's many anti-bot checks. If they make it through without detection, they're kicked, and can re-join normally. This prevents bots from overloading encryption/mojang-requests, plugins like JPremium, etc.

Spigot Anti-Exploit
More and more exploits are coming out and server owners are being forced to use heavy anti-exploit plugins on all their spigot instances. XCord luckily has it's own built in anti-exploit module designed for performance, and efficient exploit blocking! Currently, no clients have the ability to bypass XCord's powerful anti-crash exploit blocker. Disclaimer: Only tested on 1.8.9, 1.17.1 and versions alike may not be fully patched

Bungeecord Anti-Exploit
With the recent discovery of various vulnerabilities on Bungeecord, it's no longer optional to run a network without some level of exploit protection. XCord fixes all known Bungeecord/Netty/Buffer vulnerabilities, and appended all offending addresses to a blacklist in order to rapidly migrate any attack.

Anti-VPN System
XCord comes with a built in anti-vpn/proxy solution to help cut down on hackers and or bots. Unlike most other anti-vpn solutions, this system will not bog down networking threads, and will not allow it's self to become saturated by instantly executing HTML queries to several API's. On top of that, it also contains a cache system to prevent using up all your API calls.

Configuration example
Code:
anti-vpn:
enabled: true
blocked-asn:
- 20001
blocked-country:
- CHN
save-interval: 3600
purge-interval: 86400
purge-age: 2592000
blacklist-on-detection: false
only-blacklist-on-detection-during-attack: true
initial-connection-checkenabled: true
initial-connection-checkonly-during-bot-attack: true
initial-connection-checkcache-only: true
proxycheckerio-api:
enabled: true
arguments: '&risk=1&vpn=1&asn=1&tag={name}'
key: '34534627234534'
iphub-api:
enabled: true
key: '3463453453463453'
blackbox:
enabled: true

Anti-VPN Commands

• /xvpn (Base command) [xcord.command.vpn]
• /xvpn whitelist (Whitelist IP/name from check) [xcord.command.whitelistproxy]
• /xvpn listwhitelisted (List whitelisted entries) [xcord.command.whitelistproxy]
• /xvpn unwhitelist (Unwhitelist IP/name) [xcord.command.whitelistproxy]

IPTable Blacklisting
The most efficient way to block malicious TCP connections is with the IPTable. XCord will utilize a program called IPSet to blacklist connections if your server is running on ROOT, and you've enabled it in the config "ipset-blacklisting: true".

XCord will otherwise use a low level (Low level in terms of netty) blacklisting system to quickly terminate malicious connections. Although when dealing with massive -Redacted- attacks, it's highly recommended to enable ipset blacklisting.

Packet Batching
If your Spigot supports it, XCord will use controlled flushing to attempt to send packets in batches instead of instantly flushing them. Most modern Spigot forks such as Waterfall, Tuinity, NachoSpigot, etc, will function with this.

Largely increases network stability, and reduces CPU/memory usage. SIGNIFICANTLY thrives in high population areas with a lot of entities moving about.

Global Blacklist
XCord utilizes over 50 scraper bots to constantly find new malicious proxies and add them to a global blacklist. XCord will download the blacklist from XCord's HTTP server, and deny all the addresses listed in the blacklist using IPSet + IPTables (Or just layer 7 if you don't have IPTables) on a configurable interval. Currently consists of over 150k active proxies, with more being constantly added every hour

For those who have already bought XCord, this option comes HIGHLY recommended as some bots exceed 120k connections in under just a couple of seconds.


Optimization
XCord is the most optimized bungee fork on mc-market. It makes several optimizations to Bungeecord, ranging from compression, threading, the packet processing system, to the internals of Bungeecord. Squeezing every bit of performance out of every functionality of Bungeecord to allow users to host thousands of concurrent players on a single machine without sacrificing anything.

XCord also comes with more optional performance boosts in the config if your plugin are compatible (No ViaVersion on Bungeecord for instance). With everything enabled, XCord may reach, or even exceed Velocity's performance


Kernel Level Country Blocking
A common issue with hosting a server is having to deal with MASSIVE DoS attacks from thousands of different IP's. Generally from compromised servers/computers, or proxies. These attacks are swift to deliver any heavy payload to your server, quickly saturating your server's network. While the global-blacklist option is suitable for blocking a large percentage of these DoS attacks, XCord also comes with a country blocker which will DROP the connection before it's able to establish and deliver a payload! This is critical for stopping a large percent of DoS attacks that bypass OVH's migration.

This feature DOES require IPTables and ROOT! Without these, XCord will be stuck on layer 7!


Configuration
XCord's default config consists of over 200+ lines! Virtually every functionality of XCord can be customized, or disabled. A detailed description of each configurable option is downloadable in the official XCord Discord channel (Must verify to see)

Commands

• /xcordreload: Reloads the configuration
• /clearblacklist: Resets the blacklist
• /timedelayedevents: Outprints the time plugins take to process events. Very useful for figuring out what's bogging down your initial logins and proxy
• /testmemory: Have XCord outprint details about your memory usage. It'll also print out garbage collection events. This is useful for figuring out lag caused by memory consumption/leak issues.

Supported Protocols
1.7-1.18+ (Will be updated as Bungeecord is updated)


Discord
https://discord.gg/2dPr8f8GND
(All support is conducted through discord, along with early pre-releases, join!)


NOTE: XCord may require configuration (xcord.yml) in order to properly run without minor Anti-bot false positives on your server. It may not just be a drop in replacement for Bungeecord if you've got a strange server setup. A comprehensive configuration write up is available on XCord's discord channel. There are many more performance options included with XCord that will boost performance assuming plugins are compatible with them.

NOTE: XCord is considered to be a LINUX application. Although it will function good Windows/Mac, protection/performance will be not be as powerful due to not having access to certain OS related features. This is not specific to XCord, rather applies to ALL software. Windows doesn't have epoll, ipset/iptables, and has poor thread scheduling. Please consider this before buying XCord