Discussion Advanced IP-Limit & Proxy Detection for L2J Introduction

[MathewTombs]

What’s up, MaxCheaters? We’ve all seen it. You open a new x100 Craft-PvP server, you have 400 "players" online according to the dashboard, but Giran looks like a ghost town and the farm zones are empty. Why? Because three "pro" players are running 50 boxes each using cheap SOCKS5 proxies or VPNs to bypass your AllowMultiBox=2 setting in l2j.properties.

Standard IP limiting is useless in 2026. If you want a healthy economy and competitive Olympiad, you need to move beyond simple IP checking. Today, I’m sharing some logic and a code snippet concept to help you harden your login gate.

1. The Problem with base_ip Checking

Most L2J cores (aCis, L2Scripts, Mobius) check the SecondaryPassword or HardwareID (if you have a protection like Strix or Guard). However, smart players use "Proxy Chaining." They mask their HWID or use virtual machines. If your server only checks if IP_A == IP_B, you are losing the battle.

2. Implementing a "Connection Threshold" via IPTables

Before the traffic even hits your Java GameServer, you should filter it at the Linux level. A common "Zerg" tactic is to flood the LoginServer to lag out other players during a Castle Siege.

Use this rule to limit new connections per second per IP:

Bash

iptables -A INPUT -p tcp --dport 2106 -i eth0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 2106 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

This stops someone from spamming 20 login attempts in a few seconds.

3. Advanced Java-Side Proxy Detection

If you want to get serious, you need to check if the connecting IP belongs to a known Data Center (OVH, DigitalOcean, AWS). Real players use ISP ranges (Comcast, Orange, Telefonica).

You can integrate a simple REST API check in your L2GameClient.java (or your login handler). When a connection is initialized, verify the IP against a provider like IP-API or ProxyCheck.

• Logic: If proxy == true AND player_count_on_this_hwid > 1, kick the connection.

4. The "Ping Variance" Method (No-Guard Solution)

If you don't have a paid protection like SmartGuard, you can use "Latency Fingerprinting."

• Players on the same local network (multi-boxing) usually have nearly identical latency ($<1ms$ difference).

• Players using a Proxy will have a significantly higher "Jitter" than a direct connection.

  By logging the last_ping packet in a small Map, you can flag accounts that move with synchronized packet intervals—a dead giveaway for botting software like Adrenaline.

Conclusion

Don't let your server die in the first week because 5 people hoarded all the Boss Jewels using 100 characters. Tighten your LoginServer, use IPTables for the heavy lifting, and don't be afraid to manually ban IP ranges from known VPN providers.

What are you guys using for protection these days? Still sticking with Strix, or has someone found a solid open-source HWID solution for the newer Interlude remasters?

Let me know in the comments! If you need the specific Java imports for the Proxy-check method, ask below and I'll post the ClientThread.java modifications