Crasher Detection Check
Multi-vector crash packet detection and prevention.
What It Does
Crasher Detection is GAPE's most comprehensive check, combining multiple detection methods to identify and block packets specifically crafted to crash the server. It analyzes packet patterns, structure, and content to catch both known and unknown crash exploits.
Why It's Critical
Server crashes are catastrophic because they:
- Immediately disconnect all players - Disrupts gameplay for everyone
- Require manual restart - Server stays down until admin intervenes
- May corrupt data - Sudden crashes can corrupt world saves or databases
- Create downtime - Server unavailable until restarted
- Damage reputation - Players lose trust in unstable servers
Detection Methods
Known Crash Patterns
GAPE maintains signatures of known crash exploits:
- Tab-complete crash patterns
- Sign/book NBT crash structures
- NaN/Infinity coordinate crashes
- Oversized packet crashes
- Malformed JSON crashes
Anomaly Detection
Identifies suspicious patterns that match crash characteristics:
- Deeply nested data: NBT or JSON nested 50+ levels
- Extreme values: Numbers outside reasonable ranges
- Malformed structures: Data that doesn't match expected format
- Unusual packet combinations: Sequences of packets that typically crash
Heuristic Analysis
Uses behavioral analysis to detect new crash exploits:
- Packets that deviate from normal gameplay patterns
- Rapid sequences of specific packet types
- Unusual packet ordering
- Packets with suspicious timing
Resource Consumption Prediction
Estimates how much resources a packet will consume:
- Processing time prediction
- Memory allocation estimates
- CPU cycle requirements
- Blocks packets likely to cause resource exhaustion
What It Protects Against
Classic Crash Exploits
- Tab-complete crashes: Malformed tab completion packets
- Book crashes: Books with extreme page counts or sizes
- Sign crashes: Signs with malformed NBT
- Coordinate crashes: Invalid position data
Parser Crashes
- JSON bombs: Deeply nested JSON that causes stack overflow
- NBT bombs: Malicious NBT structures
- UTF-8 exploits: Invalid encoding that crashes parsers
- Regex exploits: Strings that cause regex catastrophic backtracking
Resource Exhaustion
- Memory bombs: Packets requiring gigabytes of allocation
- CPU bombs: Packets requiring excessive computation
- Thread bombs: Packets that create thread deadlocks
Zero-Day Exploits
- Unknown crash exploits detected via anomaly detection
- New variants of known exploits
- Version-specific crash bugs
Multi-Layer Protection
Crasher Detection runs multiple layers sequentially:
- Signature matching: Fast check against known patterns (~50ns)
- Structure validation: Verify packet structure (~100ns)
- Resource prediction: Estimate resource consumption (~150ns)
- Heuristic analysis: Behavioral analysis (~200ns)
Total overhead: ~200ns per packet (other layers skip if signature matches)
Configuration Options
Detection Sensitivity
- High: Catches more crashes, slight increase in false positives
- Medium: Balanced (default)
- Low: Only obvious crash attempts
Signature Database
- Auto-update: Download latest crash signatures automatically
- Manual: Administrator controls signature updates
- Offline: Use bundled signatures only
Heuristics
- Enabled: Detect unknown crashes (recommended)
- Learning mode: Learn normal patterns without blocking
- Disabled: Only use signature matching
Violation Action
- Cancel packet: Always enable (default)
- Kick immediately: Recommended - crashers are always malicious
- IP ban: Automatically ban IP after crash attempt (optional)
Common Crash Vectors
Data Structure Bombs
NBT or JSON nested hundreds of levels deep, causing stack overflow when parsed.
Size Bombs
Packets claiming to contain terabytes of data, causing OutOfMemoryError.
Encoding Bombs
Invalid UTF-8 sequences or special Unicode that crashes text processing.
Division by Zero
Crafted packets that cause division by zero in calculation code.
Null Pointer Exploits
Packets with missing required fields that cause NullPointerException.
False Positives
Crasher Detection rarely causes false positives. If they occur:
- Lower sensitivity: Reduce to medium or low
- Disable heuristics temporarily: Use signatures only while investigating
- Whitelist players: Trusted players can bypass check
- Report to GAPE: Help improve detection accuracy
Signature Updates
GAPE's crash signature database is regularly updated:
- Frequency: Weekly automatic updates
- Source: Community-reported crashes and security research
- Validation: All signatures tested before release
- Opt-out: Can disable updates for offline servers
Performance Impact
- Signature check: ~50ns per packet
- Full analysis: ~200ns per packet (when signatures don't match)
- Memory: ~2MB for signature database
- Benefit: Prevents server crashes that cost 10-60 seconds of downtime
Zero-Day Protection
Heuristic analysis provides protection against unknown crashes:
- Learns normal packet patterns during first 24 hours
- Flags packets that significantly deviate from normal
- Blocks packets with characteristics similar to known crashes
- Doesn't require signature updates for new exploits
Reporting Crashes
If a crash packet gets through GAPE:
- Check violation logs for the specific packet
- Report to GAPE developers with packet details
- Signature will be added in next update
- All GAPE users protected within 7 days
Integration with Other Checks
Crasher Detection complements specific checks:
- Tab Complete: Specific tab-complete crash patterns
- Sign/Book Exploit: NBT-based crash detection
- NoCom: Invalid coordinate crashes
- Oversized Packet: Size-based crash prevention
- Crasher Detection: Catches everything else + unknown crashes
Best Practices
- Always keep enabled - This is the most critical check
- Use medium-high sensitivity - Better safe than crashed
- Enable auto-kick - Crash attempts are never legitimate
- Enable signature updates - Stay protected against new exploits
- Monitor alerts - Know when someone tries to crash your server
- Consider IP bans - Players who attempt crashes should be banned