I’ve created a pretty complex ray casting gun system that includes bullet penetration and what not. So i’d like to continue with this system, but the way it works, can be exploited.
When the client clicks, it will create rays on the client, i did this to help with the “feeling” of lag. The bullets calculations and what not are done and sent to server (HIT, ENDPOSITION). Obviously if i do that, someone can just create a raycast script and send the bullets wherever they want, even with whitelist to go through walls (I know because i tested this and it worked as literal aimbot.). So to combat this on the server, the rays distance is checked to make sure its accurate serverside (to the weapons max distance) It also will check the amount of rays, and make sure its no higher than the penetration (maxrays = 1(thebullet) + penetration(the amount of objects the bullet can pierce.))
Basically, im looking for recommendations on what i can do to improve security, I thought about maybe sending the fire request to the server, then having the server ask the client for its mouse position and rays. So that the client cant tell the server what to do. But then someone could just write an onclient event and try to bypass that(unlikely but possible). OR just doing ALL calculations on the server, which would not be ideal in my eyes but if thats the recommendations then i will try it, but even then it could still be exploited! They could still just send a different position than their mouse… Im pretty stumped on a bypass for this since the mouse is local, it doesnt help too that the game is third, and first person, so some sort of first person loophole is out of the question.
It’s possible to get the best of both lag and security by creating the same ray both on the client and the server, and only using the server’s personal calculations. In general, the only thing you want the client to send is the most basic of information such as mouse.hit because that is already controlled by the client and couldn’t be exploited easily (except in the cases of someone making an aimbot)
The possible problem with this is you would need a method to hide the server ray or simply don’t create a ray part for the server(not ideal)
If they simply changed the fire to the server, to any position, and not the mouse. It would still fire there, i have no way of knowing if its their mouse.
It’s not like that magically makes the server think the bullet hits there. Even if they send a false position the server is still checking if they can even hit that point, plus if your raycasting to see If the mouse could even touch that point it could act as its own exploit detection
So if its like Shoot:FireServer(mouse.Hit.p), they could still send :FireServer(EnemyTarget.Head.Position), and altought the server could be like. NA, it will still work if enemies are in view
The aimbotting will be a problem regardless of how you change the system, even if they didn’t have the power to change the position to what they wanted, and as @dudesa3000 mentioned there are methods of checking for cheats
There is multiple methods to detecting an aimbot, a guy instantly aiming at nearby players is pretty obvious. Also for a moderated system you could announce a possible cheater by looking at headshot ratios. Its not impossible to detect such cheats.
It is impossible, they could vary the target part, and they could just lerp within a less time so it looks less obvious… Not to mention most of legit players can do fast aiming , and that could be confusing and annoying.
2nd; if you were to detect and aimbot, you WILL do it on the client (camera detection), and you will possibly kick aswell on the client, which can be disabled or blocked by the executor, synapse X as an example has some methods for this.