Author: TomMustBe12

Date Posted: 7/16/2025, 9:41 PM

Playit.GG Port Scanning

Your minecraft servers (or server servers) could be at risk.

What is Playit.gg?

Well, if you don't know what playit.gg is, then you're safe from this particular service. However, many services like this do the exact same thing and can be found.

Playit.gg is a service that allows you to host your own Minecraft server without needing to port forward. It does this by creating a tunnel between your computer and their servers, allowing players to connect to your server through a unique URL.

While this is a great service for those who don't want to deal with port forwarding, it's not very safe in the fact that all of its ports are completely open, not guarded whatsoever, there is nothing stopping random people from scanning playit.

Why does this matter? This means that anybody who runs a simple 15 character command can find anybody's service on playit.gg. This could be your Minecraft server, your SSH port, or even your random security camera port that you never deleted because why not.

How you scan for Playit.gg servers

I'm going to make this public because A) it's super easy and simple to do, ask ChatGPT you'll get the exact same command. And B) this should be a reminder that everyone should know that their public service is really public! If you are exposing your server to the internet - that's what it's doing! Anybody can find it now.

To scan for Playit.gg servers, you can use the following command (you need Nmap installed):

nmap -sS -p- 20.ip.gl.ply.gg
Note: 20.ip.gl.ply.gg is just one of playit's global broadcast. I've personally found at least from 16-29.ip.gl.ply.gg. Tons of ports are out there.

Since this is a full SYN stealth scan, it will take much longer to complete. However, this gives much more accurate results compared to normal port scanning.

This will return all the found TCP ports and display them in the terminal. Minecraft runs on TCP. See what I mean?

A decent amount of these aren't Minecraft though. Some of them are other TCP services. However, most of them are. Playit is known for making Minecraft servers tunneled for free, so most people use it for that.

Which are Minecraft, and which aren't?

Minecraft ports aren't going to immediately be known. You'll have to sort through which ones are, or which ones aren't.

If you use Python, there is a nice script called mcstatus. Mcstatus lets you ping servers, find out if they are Minecraft, and most servers return default information like motd, players, player max, player limit, and what version of Minecraft. If you use this mcstatus script and sort through your nmap list, you'll be able to search for basically anything.

I personally sort by version, so that I can find if the version is the version I'm going to be using to connect to servers (usually I just use the latest) and I sort through that. Look at mcstatus's documentation for more on how to use it.

However, if you wanted to search for all servers on a version and without a default motd (meaning the server is probably custom and has an active player base) then that would be very possible too.

After you scan your nmap list, with a simple Python script, you can find which TCP services are Minecraft and which aren't. The only problem now is to figure out if they have a whitelist. Unfortunately, unless you create an intense bot that will search servers automatically for you (probably would be a mod of some sort) there isn't a straightforward easy way to do that. That I know of. But by now, the list should be manageable enough that you can manually try joining.

How to protect my server

There are a few ways to protect your server from being scanned:

  1. Use a whitelist: A whitelist can help to restrict access to your server to only those who you trust.
  2. Don't use playit: While many of these services are not great, playit is definitely not on top.
  3. Use a custom domain from Playit: I haven't used a custom domain before, but if you have that then it might not be visible on the main global anycast. Still be careful though, I haven't checked this.

Overall, it's important to be aware of the risks associated with using services like playit.gg. While they can be convenient, they can also expose your server to potential attacks.

By taking steps to protect your server, you can help to reduce the risk of it being scanned or attacked.

Conclusion

All in all, you should really protect your server with a whitelist. Even if you don't use playit, whitelists help random people from joining your server. If you have a public ip address (either your own, a remote virtual server, or a friend's old PC) then you should turn on whitelist. Anybody that finds that IP can see that it has Minecraft running on whatever port, and join your server.

Final Note

Bruh did you see me attack your server 💀