Anti DOS Script

I’ve noticed alot of people complaining about games crashing due to people DOS’ing the server. I decided to investigate this phenomenon and came up with a basic solution:

local Stats = game:GetService("Stats")
local Players = game:GetService("Players")
local player = Players.LocalPlayer

while true do
	wait()
	if Stats.DataSendKbps >= 500 then
		player:Kick("Stop trying to DDOS")
	end
end 

Put this script in a local script in starter player and it should work!
All it does is monitor the amount of data the client sends the server and if it reaches a arbitrary threshold it kicks the attacker. Feel free to change the constant however you see fit.

It has been tested with some of the current DOS’ing programs and works for the one’s that we tried

Links to resources I used:
https://developer.roblox.com/en-us/api-reference/property/Stats/DataSendKbps

Thank you!

The DOSer can just delete the localscript. No client-side solution is safe.

You can setup a server-side check to ensure the script exists and ban users who delete it.

Someone can make a script, that will check if the localscript is functioning or not.
If it doesn’t function, then It’ll clone to the place, where it’s placed.

I wonder if it’s possible for the client to spoof the server that they still have it even though they delete it?

Then they can just disable the script or remove the code from it.

The deletion won’t replicate to the server in the first place, the server will still think it’s there even if the client deleted it.

A little trick to making sure people done delete the local script is by having it communicate with the server every so often and kicking the player of the local script doesn’t communicate with the server.

(Yes, they could manually fire an event but that is a lot more work for them.)

Then all that would do is delay the problem. Once a workaround is found it’ll be shared with other exploiters and the DOSing will start happening again.

Not really, since they have access to the script’s source property (which contains the bytecode), they could just copy the part that fires the remote and create a new script with that part of the code. 15 minutes maximum of figuring it out.

Something I did in the past was clone a LocalScript full of checks every few seconds and then delete itself once it’s ran through all the checks. Not sure how effective it is but i’d assume it runs quick enough before the exploiter is able to disable/destroy it.

What about randomizing the string, that will be needed to verify the sent data?

The exploiters can still see the string stored inside of the script, plus, they can spy on any and all remotes, so keys are completely useless.

Exploiter can override __namecall and just send over the new keys. Passwording your remotes won’t work. Security through obscurity in general doesn’t work as security.

Also minor nitpick @jrelvas clients get bytecode not source

I was actually referring to the Source property in scripts, not the Studio Source used for edits. That’s good to keep in mind, though.

Someone doesn’t need to be connected to the Roblox server to be able to DDoS the actual server hosting the instance.

This script is useless.

This is used for when a roblox client using Synapse tries to send so much information to the server that it shuts down the server. If you instead directly attack the server then this does nothing and theres nothing we could do.

There is no such thing. There would be no reason to perform denial of service through the client anyway.

Well its happening so

I have a hard time believing you can “DOS” by spamming remotes, remotes have a limit so they can’t even be spammed at infinite light speed and even if it was attempted to be spammed, couldn’t you implement a leaky bucket or debounce to stop it?

This client-sided approach will have absolutely 0 effect on exploiters that can instantly disable it.