Information:
FXServer Artifacts: 6040
on Onesync Infinity
System: Windows Server 2022
Client: Production & Beta
How it all started:
Hey my server is crashing randomly with a “network thread hitch”. The strange thing about this is, that we didn’t change anything on our system. We just updated our artifacts on 11.11.22 and got the first crashes on 16.11.22. We even tried to go back to older artifact versions we had before. Our server ran without any issues for years now and we didn’t change anything in the last few months. It even happens when the server is not that full. Even got sessions with 180 players witout any problems before it crashed with just 40 players on it. So at first i thought its some sort of attack. So we checked our DDoS protection and there where no attacks. I reported my issue on the CFX Discord server and found a lot of other server owners with the exact same issue starting on the same timeframe. All of them updated to a newer artifact and tried to go back to an older one. So the only thing we all did before it started was a artifact update.
Information about the crash
The crash starts randomly without any abnormalities in the serverlog. So there are no other network hitch warnings before that. Thats how it looks like:
[ citizen-server-impl] network thread hitch warning: timer interval of 231 milliseconds
[ citizen-server-impl] server thread hitch warning: timer interval of 247 milliseconds
[ citizen-server-impl] network thread hitch warning: timer interval of 2244 milliseconds
[ citizen-server-impl] server thread hitch warning: timer interval of 2282 milliseconds
txaEvent “serverShuttingDown” “{"delay":5000,"author":"txAdmin","message":"Server Neustart (Crash erkannt)."}”
It will hitch up to 5000 ms and crash with this error codes:
FXServer Closed. (code 4294967294)
FXServer Closed. (code 3221226356)
After a txAdmin restart it often crashes again after 2-5 minutes. After that, the server runs fine again for like 20 hours, Most of the time its happening between 15:00 and 20:00.
Analyzing the crash:
We checked the dmp files and found this as error codes:
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_citizen-scripting-lua.dll!Unknown
PROCESS_NAME: FXServer.exe
READ_ADDRESS: 000000000030303b
ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%p verwies auf Arbeitsspeicher bei 0x%p. Der Vorgang %s konnte im Arbeitsspeicher nicht durchgeführt werden.
So i saw it has something to do with the memory. I had a conversation with nta on discord and i send him my full dmp. He said its some sort of generic memory corruption. Likely some attack indeed though given one of them is in tcpserver, but impossible to tell without having access to the attack method ‘on demand’ to run tests with.
Here is a dmp file if you want to check it. Let me know if you need a full dmp file. I can send it via PM.
f275019d-94ee-4887-9710-8c4137a63995.dmp (3.5 MB)
Things i checked for abnormalities:
- I checked the server resmon for any memory leaks
- Checked network event traffic with neteventlog
- Downgraded from 6040 to recommended artifacts
- I did some server network monitoring