Today we are looking at the claim that I saw from some people that they don't need a whitelist as their mod list is unique and griefers couldn't join.
This post is about the connection with a NeoForge server (different mod loaders might be similar or might not be). I've only looked at NeoForge.
In the first phase of loading, the Minecraft client tells the server the network packets it knows. The server responds with a simple accept or a deny and tells you the network channels (packets) the client needs to support to be able to join. Those are namespaced to the mod and are shown big on screen.
If the server accepts the connection, it will tell the client about all registries and their content. Registries are a way to resolve entities/blocks/items and much more based on their name, so almost any mod will have something in them. The log at the end shows a compressed version of what the client receives. I know every mod I need to join the server. I could spoof the data to join if I don't have the mods or just search for them on the popular mod hosting sites and get a proper mod pack to join.
You saw yesterday what I was able to do once I was able to join.
All of this in 5 minutes of coding.
Your mod list is not a whitelist.
If you don't have it enabled, please do.
by missbismuth
5 Comments
I’m pretty damn sure i can bypass this. Btw what about mods that don’t register packets or anything else
Goodluck downloading all 600 of my mods and their dependency’s.
That’s one dedicated griefer.
I dont know what’s involved with spoofing but I imagine spoofing 600 mods would still likely be a pain, and even if its not would it really let them in, ive had issues in the past where the slightest config mismatch won’t let my friends join.
It is a good psa, ive always felt very safe having custom modpacks running on a server, so its good to be aware there are ways people can get around the massive modlist.
But I still find it unlikely someone would go through that effort to grief a modded server and I always have automated backups anyway.
a simple lock-and-key mod could be it, just a single decryption key handshake on join where the key can just exist on the client’s config
currently, modlist as whitelist only stops script kiddies, if say the 5th column got bored enough they could start spoofing packets to hit modded servers. the lock-and-key mod would bump the effort needed to enter the server from “figuring out how to spoof packets” to “hacking into someone’s pc”, which is so much effort nobody’s gonna do it for like 5 more years
I’ve run private servers since the early days of Minecraft. I’ve probably run nearly every version of vanilla Minecraft since multiplayer was introduced. I’ve literally never seen someone connect to any of these servers who was not given the IP and port by an active player. I haven’t used a whitelist most of the time because literally no one is trying to get in. I’ve run a lot of different servers and the only time I ever need a whitelist or password is if there is a server browser in a game that cannot be disabled (which to be fair, is not uncommon).
I’ve never heard anyone suggest that a mod list is as good as a white list. But I don’t participate a lot in custom mod packs. Are people just posting their IP (or domain) and port on the public web claiming that its safe because unique modlist? Or are you suggesting that all servers need a whitelist because someone might find a way to get your IP+port? Thats a LOT of work, and for what? To greif a truely random server? Or to attack more maliciously? That’s a lot of work for not a lot of payoff, unless you’re expecting someone to have a crypto wallet.
I know it’s not the point of this post, but I’d be fascinated to see how a spoofed and crashproofed client interacts with a heavily modded server. Like, how it would look to try to play the server normally, visit people’s bases, etc.