Nocom

nocom
Nocom heatmap of the overworld, from -245k to +245k, from early 2020 to mid-2021
Type	Coordinate exploit
Date First Used	July 2018
Date Leaked	July 2021
Date Patched	July 2021
Discoverer	0x22 and Babbaj
v t e

From mid-2018 to mid-2021, the exploit known as nocom^{[notes 1]} was used by Nerds Inc. Considered to be the most severe exploit in 2b2t history, it began when a server lagging/crashing exploit was patched in PaperMC, a Minecraft server software used on 2b2t. The exploit allowed Nerds Inc to observe the player movements of every player on 2b2t.

The initial exploit allowed a player to force the server to load arbitrary chunks with packet with no rate limit, causing the main thread of the server to block until all of the packets were processed. By varying the number of packets the server could freeze for just a few seconds, or until the watchdog thread killed the whole server. In the queue server, it was possible to send enough packets to keep the network thread busy with the exploiter's packets for so long that the server thought the connection for every other player in the queue was dead and disconnected them, thus allowing the queue to be skipped. 0x22 and Babbaj would utilize the exploit to intentionally crash the server, expecting that Hausemaster would report the exploit to Paper. The exploit was fixed in July 2018 by; however, the fix allowed for the ability to check if any chunk in the world was currently loaded. Nerds Inc exploited this new vulnerability by scanning the world in a spiral pattern, sending thousands of packets per second. Although the approach was primitive, it was effective up to about 1 million blocks. In 2019, Hausemaster, in response to off-hand switch sound lag exploit, added a rate limit that severely limited the effectiveness of the packet spamming approach and usage of the exploit temporarily stopped. In 2020, Nerds Inc enlisted Leijurv, the lead developer of Baritone, to create a completely new system that was effective with the strict rate limit by tracking players as they move. In addition to tracking players, nocom was able to slowly remotely download bases.

Nerds Inc employed a disinformation campaign to downplay coordinate exploits in an effort to ensure nocom's secrecy. Other exploits, such as the pet teleportation exploit, were used as covers for nocom. Nocom has been attributed to the destruction of Space Valkyria 3 V2, as well as Niflheim, Acheron, Avalonia, and Yggdrasil; several other bases were destroyed under the guise of the "Dipper Nation", a series of images and memes. Nocom was also used to fund several projects started by the SpawnMasons using stashes located through the exploit. Nocom's existence was threatened by 0Neb, who attempted to raise suspicion of Nerds Inc, and the Infinity Incursion, who recreated a less powerful version of the exploit and used it against Fit.

In July 2021, Hausemaster implemented a fix to nocom—and similar exploits—limiting the range the server would return chunk information for. Several days later, Nerds Inc released information on nocom, including its existence and statistics. The source code for nocom was released in February 2022 dating back to Leijurv's involvement in March 2020.

Overview and flaw of exploit

Nocom utilizes a flaw in PaperMC for Minecraft 1.12.2, introduced in a patch. As it is a flaw within the PaperMC server software, said flaw does not exist in vanilla Minecraft. The patch, titled "Fix block break desync" , was implemented in July 2018 by Paper team member electronicboy, and added the following line of code:

if (worldserver.isChunkLoaded(blockposition.getX() >> 4, blockposition.getZ() >> 4, true)) // Paper - Fix block break desync - Don't send for unloaded chunks

The patch changes the behavior of Minecraft servers running Paper; when a player sends a packet mining a block that is in an unloaded chunk, a packet is not sent back to the player. This could, in turn, allow a player to determine if a chunk is loaded or not, dependent on if the server returns a response.

Initial ghost block patch and lag exploit

In vanilla Minecraft, a CPacketPlayerDigging packet is simply ignored entirely when it is over six blocks away from the player. However, due to lag, the server and client can disagree on where the player is. It is possible, then, for some good-faith block digging packets to be discarded by this policy. Since the server simply ignores the client, a "ghost block" is created, where the block exists on the server's end, but not the client's.

In January 2017, a user known as prplz submitted a pull request to fix this issue, by sending a PacketPlayOutBlockChange packet when a player attempts to mine a block more than six blocks away, resolving the server-client ghost block dispute. The pull request adds the following line to the PlayerConnection.java file:^[1]

this.sendPacket(new PacketPlayOutBlockChange(worldserver, blockposition)); // Paper - Fix block break desync

By sending a packet for each block change, the patch created a vulnerability within Paper. To send the PacketPlayOutBlockChange packet back to the user, the server needs to load the chunk at the block position specified by the constructor. As loading chunks increases the computational load of a Minecraft server, sending continuous CPacketPlayerDigging packets to blocks at unloaded chunks creates immense server lag.

Coordinate exploit

A recreation of the crash log that Hausemaster saw and reported to Paper

In July 2018, 0x22 and Babbaj created a coordinate exploit, using the groundwork laid out in the lag exploit. The two theorized that, if the server didn't return a response for unloaded chunks, but returned a response for loaded chunks, the rough location of players in 2b2t could be approximated. However, prplz's patch returned a response regardless of whether a chunk was loaded or unloaded, requiring a second patch to Paper that would only return a response if the chunk was loaded.

Knowing that the issue would be resolved if Hausemaster reported it to Paper, likely through the method they laid out, 0x22 and Babbaj began intentionally, repeatedly, and blatantly sending CPacketPlayerDigging packets, causing the Paper watchdog process to output a stack trace, which included the line added by prplz. Hausemaster reported the issue on July 11, 2017,^[2] and the issue was fixed by electronicboy the following day by only returning a response for loaded chunks.^[3] The commit added a check—if (worldserver.isChunkLoaded(blockposition.getX() >> 4, blockposition.getZ() >> 4, true))—if a player is in a loaded chunk.

Following the patch, a player could obtain the status of a chunk by attempting to break a block within the chunk. If the chunk is unloaded, the server returns nothing; if the chunk is loaded, the server returns a SPacketBlockChange packet and the block type of the block the player attempted to break, regardless of if the player loaded that chunk themselves.

The block detection mechanism of nocom was not a novel approach; Orebfuscator, a server plugin designed to combat X-ray techniques, obscures the contents of a block until a player approaches it, and used this technique before electronicboy's patch.^[4]

Initial implementation

Fr1kin created the initial nocom exploit

On July 13, 2018, Hausemaster implemented electronicboy's patch into 2b2t. Fr1kin, a member of Nerds Inc, created a ForgeHax exploit to search chunks in 2b2t in a spiral pattern, writing down coordinates to a file and in chat. The contents of this file were uploaded to a website visible to members of Nerds Inc. A bot using Baritone was set up, and chunks could be downloaded for remote viewing. Using mixin to alter chunk rendering in freecam, a module could remotely load a base using nocom.^[5] This technique was used until late 2019, when Hausemaster implemented a packet rate limit, preventing brute force attempts to calculate coordinates.^[6] In addition, the spiral technique had several drawbacks; most notably, large bases were indistinguishable from dirt huts.^[7]

Leijurv's additions

Leijurv, the lead developer of Baritone, joined the project in March 2020. Leijurv implemented an adaptive tracking system to tactfully determine precise coordinates for a player. To achieve this, dozens of bots^[5] were used in the overworld and the Nether, with offset shift schedules to ensure uptime. Bots in the Nether mainly observed the Nether highways, tracking players and coordinating with the overworld bots. nocom tracked the time a player spent in one location; this was used to mark chunks where a player had spent more than 90 minutes at. These statistics were tracked in a PostgreSQL database and analyzed through direct queries and a web UI.^[6]

Players were located through straight-line checks on every axis and diagonal highway in the Nether, in a process that would take 33 minutes.^[8] After being located, a Monte Carlo particle filter was used to keep up with the player. nocom's implementation of a Monte Carlo particle filter simulates 1,000 different potential player positions and velocities, referred to as "particles". As players traveled in the Nether, the Monte Carlo particle filter improved, furthered by the low-degree in variance in player movement. To guess a location, sequential importance sampling was used.^[9] The adaptive tracking system works using the following equation.^[7]

${\displaystyle \int f(x_k) p(x_k|y_0,\dots,y_k) dx_k \approx \sum_{i=1}^N w_k^{(i)} f(x_k^{(i)}).}$

Four main scanners were used: a Nether highway scanner, a ring scanner, a spiral scanner, and a cluster retry scanner. These scanners were assigned different priorities; the Nether highway scanner, for instance, was given mid-priority, while the spiral scanner received the lowest priority, with each bot running through each scanner in priority order.^[10] Priorities were used to handle Hausemaster's packet limit.^[5] A central manager, dubbed the "tracky tracky manager", coordinated these scanners, and implemented a Monte Carlo particle filter for each new player. The cluster retry scanner rechecked bases at random.^[6]

To analyze the data from nocom, an aggregator analyzed the hits (loaded chunks). Once a chunk was loaded for more than five minutes, it was added to a GiST index and labeled as a node. High-activity areas were labeled as "core" nodes, and core nodes created clusters that could be combined with other clusters, creating a disjoint-set data structure. Path compression and unions were implemented by rank. Simultaneously, an associator used this data with player log-offs. Clusters were also used by a "slurper", which allowed Nerds Inc to download bases. Using "chunk seeding", a base could be determined in a chunk.^[6] Blocks, such as shulker boxes, stained glass, beacons, and chests, were used to determine if a chunk is a base, and nocom would then recreate the chunk in a separate instance of Minecraft.^[7]

nocom was deployed on a DigitalOcean droplet located in New York to ensure the lowest amount of latency between the bots and 2b2t's servers. A version of Minecraft was deployed on the servers using a single instance of Java. Bots were coordinated in a network. The status of the bots was visible in Grafana in a Docker container with WireGuard.^[6]

Imitations

The Infinity Incursion were able to recreate nocom and implemented it within their cheating clients. The Infinity Incursion would use their exploit against Fit, and attempted to sell his logout coordinates for real-world money.^[7]

Impact

Space Valkyria 3 V2's coordinates were exposed through nocom

nocom observed 3,250,000 player sessions and 300,000 unique players. Using its definition of a base, 15,000 bases were tracked, of which two thirds had a world download.^[7] These world downloads have the full block-by-block timeline of the base's history at 30 minute intervals. This was only done for bases hundreds of thousands of blocks away from spawn. 400,000 "association events" were tracked, where a player logged out at a tracked base. The table of blocks has over 10,000,000,000 rows, and took up over a terabyte for the table and its associated indexes. The table of hits, has 3,000,000,000 rows, while the table of tracks, which is a grouping of hits into which ones were collected as a part of one continuous track, has 10,000,000 rows.

Use in griefing

nocom has been attributed to the destruction of multiple bases and structures, including Space Valkyria 3 V2, Valerian, Hopen, Avalonia, Yggdrasil, Niflheim, Acheron, and Victoria. Coordinates for certain bases were leaked on r/2b2t under the guise of the "Dipper Nation", a facetious redneck group.^[7]

Spawnmasons

0x22, Bubbaj, and Leijurv used their access to nocom to find stashes, the locations of which would be shared with the Spawnmasons.^[7] Notably, Dectonic obtained hundreds of coordinates through Leijurv.^[5]

Use on other anarchy servers

nocom was used on other anarchy servers, including Constantiam and 9b9t.^[6]

Legacy

An interactive map of nocom used by MAC_TONIGHT_

nocom was patched in July 2021, and Nerds Inc released a write-up of nocom several days later. The source code for nocom was released on February 8, 2022.^[6]

The release of nocom's heatmap allowed MAC_TONIGHT_, a base hunter, to locate various bases detected by nocom and archive them.^[11]

Notes

References