Anti Exploit in a gun-based game?

I just started on a little shooter game yesterday and I have a couple of questions for anyone else who has experience in making these types of games. I’m keeping the shooting local and sending confirmed hits to the server (I do not want to have it all on the server).

The issue is, I need to prevent players from exploiting this system, but since it’s on the client side they could just tell the server that they are hitting every player in the game.

I have a couple of server checks in place now: 1) Detect if the player has created more bullets than the Rate of Fire * Specific time, and also 2) detect if tick()-LastBulletCreated > RoF time.

My concern is, how do I prevent the player from sending successful hits to the server at a legal Rate of Fire, and the server having no idea if those hits are legitimate? @Soybeen suggested an accuracy rating system where I attempt to detect consistent head shots over a period of time or something like that, but I’m curious to see what methods the community has used!


1 Like

Detecting if the player has more bullets live than possible is going to be your best mechanism for determining if someone is abusing the event.

You might find the tick()-lastBulletCreated > RoF to be unreliable considering ping. A client could lag for a split second or experience an increase in ping so that they appear to send multiple shots at once to the server. High potential for false positives.

Another thing they will do is aimbot by sending the position of nearby players’ heads in replacement of their Mouse.Hit. This is trickier. You could keep track of the player’s accuracy but this is unreliable because they could compensate by shooting nothing. For this I hope others have an answer.

Some other FPS games outside of roblox create “fake players” that can’t actually be seen or impacted, but if someone shoots at it profusely, it is detected and transmitted to the server.
This probably isn’t feasible on roblox because the hackers will most likely use :GetPlayers() to be provided with a list of true targets.

If the game is FPS, you could perform loose checks to see if they are firing within their FOV, or if they’re firing behind them. You can determine the angle between the head’s lookVector and the lookVector of the bullet origin by getting the dot product of those two.

Scripts to protect you locally could be employed but they would be disabled. Unfortunately for them that means rewiring the client setup, so it’s a good deterrence only until someone makes an injector suite and it becomes the mainstream exploit.

Worse comes to worst, an in-game report system could aid your automatic system by validate flags that might already be imposed on someone’s account for suspicious behavior.

tl;dr You can only really check how suspicious someone is. If they are consistently doing suspicious things over a long period of time, give them the boot.