Biggest Anarchy server brought to knees

17th Jan, 2023

Biggest Anarchy server brought to knees

The jolly and happy Minecraft public-facing side is the fun, easy one. Here we can enjoy the creative, happy side of Minecraft. There's also the lesser-known, but no less popular, side of things that can make things a lot more difficult.

2B2T is one of the most notorious 'anarchy” servers. It has been running since 2010 and has not been reset. It stands for “2 Builders 2 Tool” and is known for being inhospitable and nasty. Its players will disagree. However, 2B2T is an example Minecraft's huge appeal and ability to turn players in creators. It is a place that has a real history and is part of the landscape. It was chosen to be featured in the 2019 videogames exhibition Videogames Design / Play Disrupt at London's V&A Museum. This is because of the community it has built over the years.

The story began even before that. A bunch of hackers discovered an exploit in Paper, a piece Minecraft server software. (Thanks to WindowsCentral). The exploit made the server believe that a player was clicking on every single block on the map. This caused it to crash the server and attempt to load many block renders. This is the type of bug that can cause catastrophic problems. Software like this will fix it quickly once it's noticed.

The problem was solved 'quickly.

Leijurv was one of the NoCom coders, even though he has been working on it since 2020. He wrote a detailed post that explains exactly what the group did and why it worked.

The post's beginning points people to this FitMC youtube video, which the perpetrators helped prepare and provides a better overview.

NoCom was able to fly under the radar so long because, according to Leijurv, “there is no actual exploit or 'backdoor” in the sense you might think.” The server does not'misbehave', or do anything suspicious. It is perfectly normal and expected behavior. The code does not do anything secretive or sneaky, it is actually very simple.

PaperMC, the creator of PaperMC, “fixed” the original exploit. This was exactly what NoCom hackers were looking for. One patch of PaperMC enabled hackers to click on blocks to be shown their contents. This isn't unusual behavior for Minecraft. This behavior is not usual. It is possible to click on blocks anywhere on this vast landscape and find out what they are.

Leijurv writes that this behavior is a well-known and desirable one for 2b2t. It's just that few people have ever thought of deliberately going beyond one's render distance in order to extract information. You can click any block on the server from anywhere, even a million miles away. This will allow you to determine if it is currently loaded by the server or if it remains silent.

The Paper developers made it clear that this patch would only respond to players if chunks were loaded by them. This makes logical sense and is all you can dig in good faith. Problem is, because of the way the code was written the server will reply to your player if the chunk has been loaded by any other player on the server. This is clearly an unintended side effect.

This is why it matters. What do you think? The exploit became available and NoCom started to check whether certain chunks of the map had been loaded or not. The first indicated that other players were present, so these locations were recorded. This created a master record of bases and other locations to be hit. This has a certain poetry, but the NoCom exploit has been used over the last three years to grieve players on griefing servers.

Below is a heatmap of 2B2T's global map showing where players and groups are located. Here's where it gets really devilish.

The exploit was manually used when it was first discovered. It is obvious that endlessly clicking blocks to determine where the exploit is located is not the best method for thieving. The NoCom group started automating it by introducing bots on a shift system to the server so that one was always available: these bots monitored the main thoroughfares of the world.

These bots would track the movements of players and pay particular attention to how long they spend in each area.

They scan the nether highways. Actually, they punch one block for every 9 chunks. This expands outwards on every highway or diagonal. We know that a player is traveling when we hit them. Maybe he's traveling to his base.

“So… we just keep pace with them. A monte carlo particle filter was used to track and simulate movement. It uses approximately 2 checks per second to keep pace with players as they move at an arbitrary speed. Elytra, boat speed, entity speed sprinting, walking and any other mode. Even pig god mode! Even spectator mode! We only care about whether chunks are loading. That's all we can see.

“Basically, the machine plays the game of battleship against the 2b2t really well and uses all the hundred checks per second we get to track the battleships moving around the board.

“And when a battleship vanishes from the netherboard, we look at the overworld board to continue (the bots coordinate with one another of course).

“In this manner, we just follow people to their bases by following them as they load chunks. We can see chunks from our observation posts, and we can also check them at any distance.

The NoCom crew had amassed 13.5 billion rows and 1.7 Terabytes of data about the 2B2T world by the end. This data would be mostly used in the following manner: “Print out bases with most chests, travel there in-game, and steal all the items.”

NoCom activity reached its peak in 2020 as hackers gained greater knowledge about the game world and were tempted to take advantage of it. Numerous bases were destroyed and valuables stolen, with the community spiraling into panic that many would not log in.

2B2T members had seen something strange over the years. However, the NoCom group had also organized a disinformation campaign through forums and Discord groups (“Memes for covering up the exploit and other miscellaneous gaslighting”), which dismissed those who were concerned as paranoid.

The crew behind NoCom knew the end was near as it gained momentum and became more visible on the server. It began a rampage of murder over June and July to extract every drop of data. Finally, the server admin fixed the exploit by restricting the number of packets accounts can send per tick.

NoCom may have been defunct, but 2B2T will always be influenced by its legacy. It's possible to access that data, which is still valid until players or groups move their bases. This is a huge undertaking for something this large. Many amazing builds are now mere hostages to the fortune. Although 2B2T remains, this is the most significant event in its history.