By Lilly Schramm in KittyPaper

Introducing KittyPaper

Since the beginning, the goal of KittyScan has been to make players and admins aware of security and privacy issues. KittyBlock was an attempt to create a simple solution to minimize the data that could be collected by scanners. Today I am introducing the next logical evolution: KittyPaper.

To maximize compatibility, KittyBlock was a Spigot plugin. Sadly this came with certain limitations. I could only modify the response and could not properly terminate the connection (I am excluding some hacky reflection solutions here). There also were some weird edge cases where the ping response was sent without ever being intercepted by the plugin. It also did not prevent the scanner from sending other requests for fingerprinting beforehand. In short: I did not have the authority I wanted.

So if a plugin does not allow me to do what I want to do, what is the next logical step? My own Paper fork.

Implementing the KittyBlock functionality, directly within the server software, allows me to filter and terminate connections before they ever were handed over to the server logic. This massively reduces the amount of possible work-arounds. Another benefit of this approach is that I can change the default values for the Minecraft/Spigot/Paper settings, allowing for more "secure" defaults . It will also allow me to implement some future™ features, which also require me to have a lower level of access.

At its current BETA stage, I have implemented the absolute minimal amount of features required to generate a practical value for players and admins.

Due to the privacy reasons outlined in this blog post, I have enabled hide-online-players by default. A setting has also been introduced which makes it so the player is always assumed to have forbidden being shown in the player listing if hide-online-players is not enabled.

The connection blocking has also been introduced. Any IPs which are found on the configured blacklists (KittyScanBlocklist by default) have their connections terminated before being handed over to the game logic. A dashboard is also provided which shows admins how many connections have been blocked. You can see a live demo for this dashboard here: https://kittypaper.com/dash/2c1a4412-cd34-4515-bee5-a0bb28c8d28c

Screenshot, Black backgroun Select with the value "7 Days" 2 Boxes, Left one titled "Blocked Requests" with the description "The number of requests blocked by KittyPaper for this server" and a value of 2180, Right one titled "History" with a description of "... of blocked requests over time" showing a growing graph line. Below there is a table showing a digest of the countries the requests where blocked from
Screenshot of the dashboard

Currently the KittyScanBlocklist has been generated solely using the data generated by my honeypots. KittyPaper allows this blacklist to be augmented using crowdsourced information. Any IP which pings the server, has never connected to the server or does not join the server within 30 minutes, is considered suspicious. (This behaviour can be disabled of course) There is currently no automated system for this argumentation in place, I will work on that once some data has accumulated.

It is important to mention that this does not prevent scanning and griefing outright, however it does greatly reduce the amount of exposure you have.

Being in active Beta, there may still linger some issues I have not found yet. Please report these on GitHub.

In the near future I want to add a comfortable way to manage whitelists.

I also invite other developers to adopt my changes as they see fit. All patches are licensed under MIT.

You can download KittyPaper here: https://kittypaper.com/download

Anyway that was it for this short announcement post. I will write some more about the technical background in the future.