Nocom

From mid-2018 to mid-2021, an exploit known as nocom was used by Nerds Inc. Considered to the worst exploit in 2b2t history, it began when a server crashing exploit was patched in PaperMC, a Minecraft server software used on 2b2t. The exploit allowed Nerds Inc to observe the player movements of every player on 2b2t.

The initial exploit allowed a player to send packets to unloaded chunks, lagging the server and allowing players to skip the queue. 0x22 and Babbaj would utilize the exploit to intentionally crash the server, expecting that Hausemaster would report the exploit to Paper. The exploit was fixed in July 2018; however, the fix would rely upon only sending a packet to the player attempting to break a block in a loaded chunk. Nerds Inc used this patch to observe loaded chunks, although this primitive approach applied equal weight to all bases, such as dirt huts. In 2020, Nerds Inc enlisted Leijurv, the lead developer of Baritone, to implement heuristics into nocom. Using probability association, Nerds Inc could approximate the general location of a player. In addition to tracking players, nocom was able to reconstruct bases in a separate instance of Minecraft in real-time, using 2b2t's seed.

Nerds Inc employed a disinformation campaign to downplay coordinate exploits in an effort to ensure nocom's secrecy. Other exploits, such as the pet teleportation exploit, were used as covers for nocom. nocom has been attributed to the destruction of Space Valkyria 3 V2, as well as Niflheim, Acheron, Avalonia, and Yggdrasil; several other bases were destroyed under the guise of the "Dipper Nation", a series of images and memes. nocom was also used to fund several projects started by the SpawnMasons using stashes located through the exploit. nocom's existence was threatened by 0Neb, who attempted to raise suspicion of Nerds Inc, and the Infinity Incursion, who recreated a less powerful version of the exploit and used it against Fit.

In July 2021, Hausemaster implemented a fix to nocom—and similar exploits—limiting the range the server would return chunk information for. Several days later, Nerds Inc released information on nocom, including its existence and statistics. The source code for nocom was released in February 2022 dating back to Leijurv's involvement in March 2020.

Overview and flaw of exploit
nocom utilizes a flaw in PaperMC for Minecraft 1.12.2, introduced in a patch. As it is a flaw within the PaperMC server software, said flaw does not exist in vanilla Minecraft. The patch, titled "Fix block break desync", was implemented in July 2018 by Paper team member electronicboy, and added the following line of code:

The patch changes the behavior of Minecraft servers running Paper; when a player sends a packet mining a block that is in an unloaded chunk, a packet is not sent back to the player. This could, in turn, allow a player to determine if a chunk is loaded or not, dependent on if the server returns a response.

Initial ghost block patch and lag exploit
In vanilla Minecraft, a  packet is simply ignored entirely when it is over six blocks away from the player. However, due to lag, the server and client can disagree on where the player is. It is possible, then, for some good-faith block digging packets to be discarded by this policy. Since the server simply ignores the client, a "ghost block" is created, where the block exists on the server's end, but not the client's.

In January 2017, a user known as prplz submitted a pull request to fix this issue, by sending a  packet when a player attempts to mine a block more than six blocks away, resolving the server-client ghost block dispute. The pull request adds the following line to the  file:

By sending a packet for each block change, the patch created a vulnerability within Paper. To send the  packet back to the user, the server needs to load the chunk at the block position specified by the constructor. As loading chunks increases the computational load of a Minecraft server, sending continuous  packets to blocks at unloaded chunks creates immense server lag. This lag was used by Babbaj to skip the queue as early as April 2018. Hausemaster would later implement a packet rate limiter in 2019 in response to the off-hand switch sound lag exploit, preventing the use of this exploit to skip the queue.

Coordinate exploit
In July 2018, 0x22 and Babbaj created a coordinate exploit, using the groundwork laid out in the lag exploit. The two theorized that, if the server didn't return a response for unloaded chunks, but returned a response for loaded chunks, the rough location of players in 2b2t could be approximated. However, prplz's patch returned a response regardless of whether a chunk was loaded or unloaded, requiring a second patch to Paper that would only return a response if the chunk was loaded.

Knowing that the issue would be resolved if Hausemaster reported it to Paper, likely through the method they laid out, 0x22 and Babbaj began intentionally, repeatedly, and blatantly sending  packets, causing the Paper watchdog process to output a stack trace, which included the line added by prplz. Hausemaster reported the issue on July 11, 2017, and the issue was fixed by electronicboy the following day by only returning a response for loaded chunks. The commit added a check——if a player is in a loaded chunk.

Following the patch, a player could obtain the status of a chunk by attempting to break a block within the chunk. If the chunk is unloaded, the server returns nothing; if the chunk is loaded, the server returns a  packet and the block type of the block the player attempted to break, regardless of if the player loaded that chunk themselves.

The block detection mechanism of nocom was not a novel approach; Orebfuscator, a server plugin designed to combat X-ray techniques, obscures the contents of a block until a player approaches it, and used this technique before electronicboy's patch.

Initial implementation
On July 13, 2018, Hausemaster implemented electronicboy's patch into 2b2t. Fr1kin, a member of Nerds Inc, created a ForgeHax exploit to search chunks in 2b2t in a spiral pattern, writing down coordinates to a file and in chat. The contents of this file were uploaded to a website visible to members of Nerds Inc. A bot using Baritone was set up, and chunks could be downloaded for remote viewing. Using mixin to alter chunk rendering in freecam, a module could remotely load a base using nocom. This technique was used until late 2019, when Hausemaster implemented a packet rate limit, preventing brute force attempts to calculate coordinates. In addition, the spiral technique had several drawbacks; most notably, large bases were indistinguishable from dirt huts.

Leijurv's additions
Leijurv, the lead developer of Baritone, joined the project in March 2020. Leijurv implemented an adaptive tracking system to tactfully determine precise coordinates for a player. To achieve this, dozens of bots were used in the overworld and the Nether, with offset shift schedules to ensure uptime. Bots in the Nether mainly observed the Nether highways, tracking players and coordinating with the overworld bots. nocom tracked the time a player spent in one location; this was used to mark chunks where a player had spent more than 90 minutes at. These statistics were tracked in a PostgreSQL database and analyzed through direct queries and a web UI.

Players were located through straight-line checks on every axis and diagonal highway in the Nether, in a process that would take 33 minutes. After being located, a Monte Carlo particle filter was used to keep up with the player. nocom's implementation of a Monte Carlo particle filter simulates 1,000 different potential player positions and velocities, referred to as "particles". As players traveled in the Nether, the Monte Carlo particle filter improved, furthered by the low-degree in variance in player movement. To guess a location, sequential importance sampling was used. The adaptive tracking system works using the following equation.


 * $$ \int f(x_k) p(x_k|y_0,\dots,y_k) dx_k \approx \sum_{i=1}^N w_k^{(i)} f(x_k^{(i)}).$$

Four main scanners were used: a Nether highway scanner, a ring scanner, a spiral scanner, and a cluster retry scanner. These scanners were assigned different priorities; the Nether highway scanner, for instance, was given mid-priority, while the spiral scanner received the lowest priority, with each bot running through each scanner in priority order. Priorities were used to handle Hausemaster's packet limit. A central manager, dubbed the "tracky tracky manager", coordinated these scanners, and implemented a Monte Carlo particle filter for each new player. The cluster retry scanner rechecked bases at random.

To analyze the data from nocom, an aggregator analyzed the hits (loaded chunks). Once a chunk was loaded for more than five minutes, it was added to a GiST index and labeled as a node. High-activity areas were labeled as "core" nodes, and core nodes created clusters that could be combined with other clusters, creating a disjoint-set data structure. Path compression and unions were implemented by rank. Simultaneously, an associator used this data with player log-offs. Clusters were also used by a "slurper", which allowed Nerds Inc to download bases. Using "chunk seeding", a base could be determined in a chunk. Blocks, such as shulker boxes, stained glass, beacons, and chests, were used to determine if a chunk is a base, and nocom would then recreate the chunk in a separate instance of Minecraft.

nocom was deployed on a DigitalOcean droplet located in New York to ensure the lowest amount of latency between the bots and 2b2t's servers. A version of Minecraft was deployed on the servers using a single instance of Java. Bots were coordinated in a network. The status of the bots was visible in Grafana in a Docker container with WireGuard.

Imitations
The Infinity Incursion were able to recreate nocom and implemented it within their cheating clients. The Infinity Incursion would use their exploit against Fit, and attempted to sell his logout coordinates for real-world money.

Impact
nocom observed 3,250,000 player sessions and 300,000 unique players. Using its definition of a base, 15,000 bases were tracked, of which two thirds had a world download. These world downloads have the full block-by-block timeline of the base's history at 30 minute intervals. This was only done for bases hundreds of thousands of blocks away from spawn. 400,000 "association events" were tracked, where a player logged out at a tracked base. The table of blocks has over 10,000,000,000 rows, and took up over a terabyte for the table and its associated indexes. The table of hits, has 3,000,000,000 rows, while the table of tracks, which is a grouping of hits into which ones were collected as a part of one continuous track, has 10,000,000 rows.

Use in griefing
nocom has been attributed to the destruction of multiple bases and structures, including Space Valkyria 3 V2, Valerian, Hopen, Avalonia, Yggdrasil, Niflheim, Acheron, and Victoria. Coordinates for certain bases were leaked on r/2b2t under the guise of the "Dipper Nation", a facetious redneck group.

Spawnmasons
0x22, Bubbaj, and Leijurv used their access to nocom to find stashes, the locations of which would be shared with the Spawnmasons. Notably, Dectonic obtained hundreds of coordinates through Leijurv.

Use on other anarchy servers
nocom was used on other anarchy servers, including Constantiam and 9b9t.

Legacy
nocom was patched in July 2021, and Nerds Inc released a write-up of nocom several days later. The source code for nocom was released on February 8, 2022.

The release of nocom's heatmap allowed MAC_TONIGHT_, a base hunter, to locate various bases detected by nocom and archive them.