Anatomy of a Minecraft bot attack
A modern bot attack isn't crude packet spam — it's thousands of clients speaking flawless Minecraft protocol: valid handshakes, rotating usernames, plausible protocol versions, distributed across residential proxies and cheap datacenter ranges. Server-side antibot plugins fight them after your hardware has already accepted the connection. That's the wrong side of the wire.
The Arvoris antibot pipeline
Every connection crosses these layers at the edge, in order, before it can touch your backend:
- Adaptive rate limits + auto-UAM — per-IP and global connection budgets that tighten automatically when combined ping+login CPS spikes. Fixed on Free, fully tunable from Budget up, schedulable profiles on Value.
- Risk scoring — every connection is scored on origin (country, ASN, datacenter range), protocol behavior and history before it reaches a verdict.
- CryoLimbo verification gauntlet — suspicious joins are detoured into a lightweight limbo world and verified, from a simple captcha (Budget) to multi-level behavioral checks (Essential and up), then handed to your backend only once they prove human.
- **AntiVPN** — real-time VPN, proxy and datacenter detection with query volume bundled into every plan; flag, challenge or block, your choice per network.
- Fingerprint bans — ban the client, not just the IP. Rotating-proxy bots that change address every join still carry the same fingerprint (Value plan).
- Version whitelist & risk lists — pin allowed protocol versions and block whole countries or ASNs with reusable lists, enforced at the edge.
Calm by default, ruthless under attack
The pipeline is deliberately asymmetric. On a quiet Tuesday, a new player connects, passes a few wire-speed checks, and lands on your server with their real IP delivered via PROXY protocol — no captcha, no delay, nothing to notice. During an attack, auto-UAM flips the same pipeline into strict mode: every join earns its way through the gauntlet, pings are served from edge cache, and your console stays silent while the panel shows you the flood in real time.
This is the same engine that backs our full DDoS mitigation stack — antibot isn't an add-on, it's the Layer-7 half of the same system, running at all seven PoPs.
What each plan gets
- Free ($0) — strict fixed profile: rate limits, auto-UAM, preset risk lists. Details on the free plan.
- Budget ($10/mo) — tunable antibot, captcha verification, risk scoring, custom offline messages, webhook alerts.
- Essential ($25/mo) — full multi-level gauntlet, bans and force-verify, version whitelist, antibot templates, full connection logs.
- Value ($40/mo) — fingerprint bans, scheduled antibot profiles, custom mitigation messages, Discord login feed.
Antibot questions
Why is a network-level antibot better than a plugin?+
A plugin fights bots after they've already consumed a connection slot, a thread and a login event on your hardware — during a 50,000-join flood, the fight is lost before it starts. Arvoris drops bots at the edge PoP, so your server never allocates anything for them.
Will my real players get captchas all the time?+
No. Verification only engages for connections the risk engine flags — new IPs during an attack, datacenter ranges, protocol anomalies. When your network is calm, players connect straight through. Under attack, most legitimate players still pass without ever seeing the gauntlet.
Does it work with cracked/offline-mode servers?+
Yes — the filtering happens at the protocol layer before authentication, so online-mode and offline-mode networks get the same protection. Offline networks benefit the most, since they can't lean on Mojang auth to weed out fakes.
What happens during a really big bot attack?+
Auto-UAM (Under Attack Mode) engages: rate limits tighten, every new join is routed through CryoLimbo verification, and pings are answered from edge cache. Your existing players keep playing; you get a Discord alert with live CPS and peak metrics.
Put it in front of your server free — the whole pipeline, up to 15 players, no card.