Hi, unfortunately, I have to create an exploit detection system because some people don’t follow the guidelines, which makes me sad ;(
Anyways, I was thinking about having a server script that loops through the player after a second, what I’ll do is see based on the server-side, it’ll see, for instance, the player’s speed, then it’ll fire a remote event and see if that aligns with it from a local script, if it does the player is in the clear, if not, it shows that the player is cheating.
Is this a good way? Will this be taken advantage of? Any suggestions?
What i’ll do is if it the system detects something fishy, it’ll fire off an event. Within that event, it’ll detect if it’s still there. If it is, a message will be sent to my database with all the details, if not, i’ll free them.
I’m worried that this will be taken advantage of and it stinks that i have to worry about this.
You could probably make a system to detect different types of common exploits. Things like increased speed, increased jumppower, flying, no-cliping, etc.
That’s a anticheat that depends on the client not spoofing the data, which exploiters can and will do. All of your anticheat code should be on the server.
The client data can be spoofed, like @LexiDog5 said, so the 8-yr olds who think they cool ‘cause they use “noclip” will probably be stopped. The actual exploiters who have knowledge of Luau? Not so much.
Server data cannot be spoofed (unless they’ve hacked into Roblox, and at that point, you’re already screwed), and there are multiple ways to be sure that you catch the exploiters through server data. Basic character exploits can usually be caught using regular humanoid checks. Keeping track of authorized teleportation (e.g if your game has teleported, maybe the server can log who teleported, where they were supposed to go, and whether they actually did or not.) may also be effective.
I would actually not use the remote event system, as this can slow the process and just simply ban them and add them to a ban log. This could help with some sort of appeal system.
The thing is that the player can spoof it on the client side and the server can’t see it, hence why I’ll check both sides before having the final call.
You shouldn’t be checking if the player has changed their walkspeed, but rather checking if they’ve moved too fast or otherwise done something that is impossible.
Another important thing to note is to never auto-ban people for exploiting; you can kick but I’d recommend against that too. The best anticheats just prevent a exploiter’s cheats from working entirely (like the server taking network ownership of their character and teleporting them back to a previous location if they try to teleport) rather than punish the player for potential false positives.
Here’s a really good anticheat that I’ve seen that simply tries to stop what an exploiter is doing rather than kick or ban them from the game, although it’s experimental. I’ve tested it out and it works really well and you may be able to take some ideas from this anticheat.
You could also check by having the server and client cross calculate their movement, and if the server ends up desynched you can move the player to the correct location, however that’s more difficult to achieve without writing a custom humanoid.
I don’t plan to kick/ban people right away, I’ll have a log system and if I see it happening more than once, it’s safe to assume that someone is cheating and I’ll kick them from there.
Simple anti-cheat methods I have seen in games and this dates back a while are things like a script that detects if certain parts in a game have been deleted when they should never be. (btool exploits) and another old bit of tech I have seen is sandwhiching a kill brick in walls (anti noclip walls) of course these are primitive in todays Roblox and no doubt can probably be bypassed by some means.
That’s still a potentially dangerous way of doing things, for example there could be in a bug in the anticheat that says a player cheated 100 times in the same frame. That could cause you to get confused and falsely ban someone. I could also see the logs filling up pretty fast, but I’m not sure what method you’d be using for logs, so the logs filling up may not be a problem.
Again, the best anticheat is one that just prevents cheating in the first place rather than punishing people for cheating, even if the punishing isn’t automated.
For sure I’ll want to prevent this issue from happening so it doesn’t affect user experience, but if they are repeatedly intentionally trying to cheat the system, I am not going to let them try to continue.
That’s not possible due to FilteringEnabled except for a small amount of hacks like the one where you spin so fast you can fling other players.
If you don’t punish players for being detected, you don’t need to worry about the hacks that can affect other players being able to falsely get them punished.
You can also write anticheat code to prevent the hacks that can affect other players, but again you always need to play it safe and don’t punish anyone in case a new exploit is found that your anticheat doesn’t support yet.
For actually detecting them? Well, it depends on your game. Maybe add detection for flight by checking how long they can stay in the air (of course you will have false positives depending on your game and map). You could also check movement speed, teleports, etc etc.