Security Checks Overview

GAPE includes 10 comprehensive security checks that protect against packet-based exploits, crashes, and malicious behavior.

All Security Checks

Rate Limit

Prevents packet floods with configurable per-type rate limiting

Tab Complete Crash

Blocks malicious tab-completion packets that crash servers

Sign Exploit

Detects and blocks malicious NBT data in sign packets

Book Exploit

Validates book packets against overflow and injection attacks

Oversized Packet

Blocks packets exceeding payload size limits

Custom Payload Flood

Prevents plugin message spam and netty pipeline injection

Packet Flood

General flood protection across all packet types

Command Spam

Detects and prevents command flooding attacks

NoCom Exploit

Validates player coordinates and detects position exploits

Crasher Detection

Multi-vector crash packet detection and prevention

How Security Checks Work

Each security check operates at the packet level using the PacketEvents API. When a packet is received:

  1. Interception: Packet is intercepted before reaching the server
  2. Validation: Check validates packet against known exploit patterns
  3. Decision: Packet is allowed, cancelled, or player is flagged
  4. Action: Based on violation level, alert staff, cancel packet, or kick player

Enabling/Disabling Checks

Individual checks can be enabled or disabled in config.yml:

checks:
  ratelimit: true
  tab-complete: true
  sign-exploit: true
  book-exploit: true
  oversized-packet: true
  custom-payload-flood: true
  packet-flood: true
  command-spam: true
  nocom-exploit: true
  crasher: true
Warning: Disabling checks reduces protection. Only disable checks if you experience false positives and have verified they're not needed.

Violation Management

When a check detects a violation:

  • Violation Count Increases: Player's violation level increments
  • Thresholds Checked: Compare against alert/cancel/kick thresholds
  • Actions Taken: Alert staff, cancel packet, or kick player
  • Decay Over Time: Violations reset after configured interval

See Violation Configuration for details.

Performance Impact

All checks are highly optimized:

  • Per-packet overhead: 300-500 nanoseconds
  • Memory usage: ~560 bytes per tracked player
  • Async processing: Violations handled off main thread
  • Smart caching: Reduces redundant checks

Next Steps

Learn about each security check in detail: