Better server protection from DDoS attacks

development
security
server

#1

As a developer I’d like to stop paying users 10-50k for “protection” to stop them from hitting my games offline.

I’d like to start out by saying i’m not to informed on Robloxs back end and how they currently handle this issue or if they have any protection against it at all but at the moment its a huge issue.

This has been an on-going issue for months and I’ve always tended to shy away from posting anything here because I figured its something that a fix is currently in the work for but at this point its starting to cost me money.

Right now users will join my game, and start hitting it offline until I pay them robux to stop, this obviously isnt an issue that effects large scale games but for us down here who are running groups that only average 60-150 players throughout the day this is a issue. We have had 3-4 days in a row in my group of our average player count being sub 20 compared to its normal 70-100 because of a single user who even while banned is able to join on his banned account, and get the server ip even with him being instantly kicked by the ban script.

Please realize this is a major issue for us little guys and something needs to be done.


#2

Uhhh I think your problem is you are submitting to black mail and therefore will always have people threatening you with shutdowns if you don’t give them robux. Better to just ignore them until they go away.


#3

We did that for a month, and they didn’t go away.

You would be surprised how toxic and committed some of these people can be, and when it comes down to either losing hundreds of thousands of Robux compared to just paying 50k to get it to stop until someone else comes along, one of those choices is obviously better.

Though that shouldn’t even have to be a choice.


#4

Well as long as they can connect to the server they can get its IP and DDoS it. Nothing Roblox can really do honestly. PS4 and Xbox has DDoS issues a few years ago and it took them weeks to fix and stop the people. I doubt they even fixed their servers vulnerability.


#5

I don’t know much about DDoS protection but I just feel like there should be a way to detect a sudden burst of packets/connections or w/e they are doing and mitigate those packets/connections or ignore them as a whole.


#6

DoS is easy to detect. DDoS is more tricky, but definitely still doable, especially in a game, because you can just check if the request is actually someone in the game. That’s perhaps an over simplication though.

Also OP are you sure it’s a DDoS and not something else?


#7

99.9% sure, seeing as he was able to hit off one of our group rally places which literally has zero scripts in it, and is FE’d.

I’ve gotten some screenshots from some of his friends as well of him bragging and showing off the program he uses to pull the server IP and all that.


#8

Isn’t it just a hotkey inside Roblox?


#9

Nope, pretty sure based on the screenshot if I remember correctly it was wireshark.

You can get it from some locally generated log file as seen here as well:


#10

image

Ctrl+Shift+F3


#11

I’ve also had my game’s servers attacked in this manner. (by a member of the devforums, no less :eyes:)

A solution to prevent these attacks would be greatly appreciated.

Getting a server’s IP doesn’t require any special programs, there’s a hotkey for it in the client.


#12

So thats three known ways, kind of hard to believe how easily accessible it is.


#13

It’s impossible to hide, you need the IP to connect to it.


#14

I guess hiding it really isn’t the issue as much as mitigating the attacks is


#15

You’d be better off not submitting to the blackmail and instead spending your time on getting their accounts terminated. Dev Rel is super helpful with all issues developer and I’m sure they’d be more than happy to help in any capacity they can. You may also try reaching out to some users who have the certified reporter thing or whatever it’s called.


#16

I am not sure what you mean by this. A user should not have access to a banned account.

I do not know if this would help you at all but this is my idea.

In this scenario you could change the starter place to a select to a main menu screen which only allows one player. This menu could contain something like join friends, normal play and play new server. The idea here is that a player has the ability to change or create a server to avoid the one being attacked.


#17

I think for those who have enough information you could post in #platform-feedback:exploit-report


#18

Fun method you could try: make your main server a 1 player server which only teleports people in the group to the main group rally place. If they can’t join, they can’t take it offline.


#19

Missed this, yeah. Same idea, should work ideally.

Also thinking about it - why is this place not group locked? If it’s only available to group members (a rally place) @Azuc


#20

Submitting to blackmail is the worst thing you can do. Just ignore it, don’t let them think your gullible.