Multi-layered Minecraft server security plugin for Paper 1.21.4 + Velocity
π¦ Downloads Β |Β π’ Modrinth Β |Β π Changelog
AtomGuard is an open-source, enterprise-grade security plugin that protects your Minecraft server against DDoS attacks, bot floods, crash exploits, and duplication glitches. It runs on both Paper 1.21.4 and Velocity proxy, stopping threats before they ever reach your backend.
- Why AtomGuard?
- What's New in v2.0
- Velocity Proxy Module
- Core Module (Paper)
- Requirements
- Installation
- Commands & Permissions
- Developer API
- Building
- Architecture
- License
| Feature | AtomGuard | Other Plugins |
|---|---|---|
| Velocity Proxy Protection | β 12+ modules, fully integrated | β None / very limited |
| DDoS & Bot Protection | β 5-level attack management | |
| VPN / Proxy Detection | β 7-provider consensus chain | |
| IPTables Integration | β Kernel-level blocking | β None |
| Real-Time Threat Score | β Multi-factor scoring | β None |
| Crash & Dupe Protection | β 44+ modules | |
| Forensics & Attack Recording | β Full session capture | β None |
| Traffic Intelligence Engine | β EWMA + Isolation Forest | β None |
| Trust Score System | β Per-player, persistent | β None |
| Developer API | β Maven artifact | β None |
| Config Language | β English (v2.0.2+) | β |
- All config keys, YAML sections, and Java source strings translated from Turkish to English
- Default language is now
en; config keys renamed across all 44+ modules and managers - Automatic migration step for existing installations (no manual config edits needed)
ConnectionListener.onPreLogin()now returnsEventTask.resumeWhenComplete()β eliminates the 5-second blocking that caused player timeouts- VPNCheck and AccountFirewallCheck migrated from
.get()to non-blockingCompletableFuturechains with timeouts ConnectionCheckinterface gainscheckAsync()default method; fullprocessAsync()pipeline
- Extended Public API β
ITrustService,IForensicsService,IConnectionPipelineexposed viaAtomGuardAPI - Forensics System β
ForensicsManager/PacketRecorder/RecordingSessionrecord attack-moment packet sessions to disk - Traffic Intelligence Engine β
AdaptiveThresholdManager,EWMADetector,IsolationForestDetectorfor adaptive anomaly detection - Notification Manager β multi-provider routing (Discord, Telegram, Slack, console)
- Trust Score Manager β per-player persistent trust scores with tier system and JSON persistence
- Executor Manager β shared thread pool management across the plugin
- Web Panel β JWT authentication, API handlers, SSE live feed, geo-map dashboard
- Config Migration β automatic 1.x β 2.0 migration for both core and Velocity configs
- Velocity Bedrock Support β
BedrockSupportModuledistinguishes Bedrock players from bots - New API Events β
NotificationSentEvent,PostVerificationEvent,PreConnectionCheckEvent,TrustScoreChangeEvent
AtomGuard's Velocity module stops threats at the proxy layer before they reach your backend servers. It synchronizes with the core module via Redis or Plugin Messaging.
| Component | Description |
|---|---|
| AttackLevelManager | 5-level attack management β NONE / ELEVATED / HIGH / CRITICAL / LOCKDOWN with hysteresis to prevent rapid oscillation |
| SmartThrottle Engine | Automatic rate limiting scaled to current attack level |
| SYN Flood Detector | Blocks connections exceeding per-second threshold automatically |
| TrafficAnomalyDetector | Z-score, slow-ramp, and pulse attack detection |
| EnhancedSlowloris | Per-IP pending connection tracking with system-wide alarm |
| ConnectionFingerprinter | Protocol + hostname + timing fingerprint for botnet army detection |
| SubnetAnalyzer | /24 and /16 coordinated botnet detection |
| IPReputationTracker | DDoS-specific reputation score (0β100) with automatic temporary ban |
| AttackSessionRecorder | Full session capture from attack start to end, JSON output |
| VerifiedPlayerShield | Guaranteed slots for clean players at CRITICAL/LOCKDOWN levels |
- Multi-Factor Threat Score β connection speed, handshake, client brand, join pattern, username, geolocation, and protocol analysis
- Brand Analysis β recognizes Fabric, Forge, Lunar, Badlion, LabyMod and other known clients; blocks bot/exploit clients
- Join Pattern Detector β statistically detects bot swarm behavior
- CAPTCHA System β routes suspicious players to limbo for a math challenge
- Verified Player Cache β players with a successful login history skip analysis entirely
| # | Provider | Description |
|---|---|---|
| 1 | Local List | Instant local blacklist |
| 2 | CIDR Blocker | IP range-based blocking |
| 3 | DNSBL | Spamhaus, DroneBL, and custom lists |
| 4 | IPHub | Commercial VPN/proxy database |
| 5 | ProxyCheck.io | Real-time proxy verification |
| 6 | AbuseIPDB | Abuse history database |
| 7 | IPApi | ASN + hosting detection |
Consensus system: At least 2 providers must agree before blocking. A single provider cannot cause a false positive.
- Country-based whitelist / blacklist via MaxMind GeoIP2
- Configurable policy for unknown countries
- IP Reputation Engine β score based on successful logins, flood, and exploit history
- Auto-Ban Engine β rule-based temporary / permanent bans
- Account Firewall β Mojang API verification, account age check, cracked policy
- Blacklist / Whitelist β JSON-based, updatable at runtime
- Real-time kernel-level IP blocking (iptables / nftables)
- Automatic rule cleanup
- /24 subnet ban support
- Crash Loop Detection β more than 3 disconnects within 30 seconds
- Protocol Filter β restricts to allowed client versions
- Packet Size Limit β blocks oversized / malformed packets
- Chat rate limit, duplicate message detection, pattern analysis
- Tab-complete flood, command flood, server-switch spam protection
- Redis Bridge β instant cross-server ban / alert synchronization
- Plugin Messaging β secure Core β Velocity communication
- Discord / Telegram / Slack Webhooks β attack, bot, VPN, DDoS notifications
| Category | Modules |
|---|---|
| Packet Exploits | packet-exploit, offline-packet, netty-crash, packet-delay |
| NBT Attacks | nbt-crash, item-sanitizer, custom-payload, advanced-payload |
| World Crashers | book-crash, lectern-crash, map-label-crash, frame-crash |
| Chunk / Entity | chunk-crash, entity-interact-crash, container-crash |
| Duplication | bundle-duplication, inventory-duplication, cow-duplication, mule-duplication, advanced-duplication |
| Inventory | invalid-slot, bundle-lock, creative-items, anvil-craft-crash |
| Movement | movement-security, coordinate-normalize |
| Commands | command-crash, component-crash |
| Performance | redstone-limiter, explosion-limiter, piston-limiter, falling-block-limiter, smart-lag |
| Bot Protection | anti-bot, bot-protection, connection-throttle, token-bucket, honeypot |
| Visual / Render | visual-crasher, view-distance-mask, shulker-byte |
| Storage | storage-entity-lock |
- 9 Checks β connection rate, gravity, packet timing, ping/handshake, protocol, username pattern, first-join behavior, post-join behavior, brand analysis
- Heuristic Engine β per-player profile with statistical anomaly detection
- Verification System β challenge applied to suspicious players
- Attack Mode β auto-activates when TPS drops or flood is detected
- ForensicsManager β records packet sessions at attack moments; snapshots saved to disk
- PacketRecorder β configurable buffer, concurrent recording sessions, auto-record threshold
- TrafficIntelligenceEngine β EWMA-based adaptive thresholds, Isolation Forest anomaly detection
- AdaptiveThresholdManager β learns traffic patterns, adjusts thresholds automatically
- Per-player persistent trust score with tier system (LOW / NORMAL / TRUSTED / ADMIN)
- Score increases on clean sessions, decreases on violations
- Trusted players can bypass bot checks and VPN checks automatically
- JSON persistence with auto-save
- JWT-based authentication (
/api/login) - Live event feed via SSE
- Module status dashboard
- Geo-map of recent events
- Attack history and statistics
- MySQL + HikariCP β connection pool with WAL mode for SQLite fallback
- Redis Pub/Sub β network-wide synchronization
- Caffeine Cache β all TTL-based caches (bypass, cooldown, API results) use Caffeine
- Notification Manager β multi-channel alert routing (Discord, Telegram, Slack)
- Async Logging β 7-day rotation, async file writing
| Component | Version | Required |
|---|---|---|
| Java | 21+ | Yes |
| Paper / Forks | 1.21.4 | Yes |
| PacketEvents | 2.6.0+ | Yes (Core) |
| Velocity | 3.x | Proxy only |
| MySQL | 8.0+ | Optional |
| Redis | 7.x | Optional |
| MaxMind GeoIP2 | β | Optional |
# 1. Drop PacketEvents into plugins/
# https://modrinth.com/plugin/packetevents
# 2. Drop AtomGuard-core-2.0.2.jar into plugins/
# 3. Start the server β config is generated automatically
# 4. Edit plugins/AtomGuard/config.yml# 1. Drop AtomGuard-velocity-2.0.2.jar into Velocity plugins/
# 2. Start the proxy β config is generated automatically
# 3. Edit plugins/atomguard-velocity/config.yml
# 4. For Redis sync, enable on both sides:
# redis.enabled: trueUpgrading from 1.x / 2.0.x? AtomGuard automatically migrates your existing config on first startup. No manual changes needed.
| Command | Description | Permission |
|---|---|---|
/atomguard |
Help menu | atomguard.admin |
/atomguard reload |
Reload config | atomguard.reload |
/atomguard status |
Module statuses | atomguard.admin |
/atomguard stats |
Statistics | atomguard.admin |
/panic |
Emergency mode β tightens all modules | atomguard.panic |
| Permission | Description |
|---|---|
atomguard.bypass |
Bypasses all protections |
atomguard.notify |
Receives exploit notifications |
<dependency>
<groupId>com.atomguard</groupId>
<artifactId>AtomGuard-api</artifactId>
<version>2.0.2</version>
<scope>provided</scope>
</dependency>AtomGuardAPI api = AtomGuardAPI.getInstance();
// IP reputation score
IReputationService rep = api.getReputationService();
int score = rep.getScore(player.getAddress().getAddress());
// Trust score (v2.0+)
ITrustService trust = api.getTrustService();
int trustScore = trust.getScore(player.getUniqueId());
// Forensics recording (v2.0+)
IForensicsService forensics = api.getForensicsService();
forensics.startRecording(player.getUniqueId());
// Toggle a module at runtime
IModuleManager modules = api.getModuleManager();
modules.setEnabled("anti-bot", false);
// Listen for exploit blocks
@EventHandler
public void onExploitBlocked(ExploitBlockedEvent event) {
String module = event.getModuleName();
Player player = event.getPlayer();
}
// Listen for trust score changes (v2.0+)
@EventHandler
public void onTrustChange(TrustScoreChangeEvent event) {
int newScore = event.getNewScore();
}git clone https://github.com/ATOMGAMERAGA/AtomGuard.git
cd AtomGuard
mvn clean package -DskipTests
# Output:
# core/target/AtomGuard-core-2.0.2.jar
# velocity/target/AtomGuard-velocity-2.0.2.jarRequirements: Java 21 JDK + Maven 3.8+
AtomGuard/
βββ api/ β Public interfaces for developers (stable API contract)
βββ core/ β Paper 1.21.4 main plugin (44+ modules, web panel, forensics)
βββ velocity/ β Velocity proxy module (DDoS, bot, VPN, firewall, geo)
Key design principles:
- PacketEvents for all packet-level interception (loaded in
onLoad()) - Single
PacketListenerβ all modules register handlers viaregisterReceiveHandler() AbstractModulebase β unified lifecycle, config access, exploit blocking, and event firingAtomGuardAPIsingleton β initialized after all managers and modules, stable across versions
Want to contribute? Check CONTRIBUTING.md. All pull requests are welcome.
This project is distributed under the BSD 3-Clause license. See LICENSE for details.
βοΈ AtomGuard β Protect your server.
Made with β€οΈ by AtomGuard Team
