Hey, I’m a scripter for a group and we’ve recently had some issues with exploiters. Exploiters have been sending mass requests to remotes related to the chat with millions of characters therefore crashing the server. Anyone knows what causes this and how I could potentially fix it?
I already forked the main chat script in hopes of fixing it, we’ve had no proof of it actually working though.
Basically, they’re setting their channel (?) to a huge string which absolutely demolishes both your ping and the server itself.
Anyone knows how to fix it/can potentially help me with fixing it?
Could you tell me any plugins or free models used in the game? An example might be Adonis. Although I use Adonis in quite a few projects, it’s based off EISS, an even older admin and therefore may have unknown vulnerabilities,
Adonis would be the only freemodel that would be in the game. We’re practically 100% sure that it’s not a backdoor due to them not doing anything other than the chat exploit.
You should get everyone else involved to check their plugins, mainly builders. I’ve seen some welding plugins copied and used maliciously, and the plugin “owner” impersonates a trusted developer, e.g. TheFurriFish instead of TheFurryFish
If this helps anything, I recently just dealt with a user who was using the same chat exploit in one of the games for a group. We’ve yet to figure out how the exploit happens though, as well.
It shouldn’t be caused by anything on your end. So plugins, free-models avec le malicious scripts, etc. don’t seem to be the source of the problem.
The issue is that a huge string gets passed into a chat remote which doesn’t seem to have a cap on length. If the server also passes a string of this length to other clients (as a chat typically does), then it can impact other client’s performance directly.
After a quick search of the DevForums, a similar issue was found here.
Apparently, there seems to be a crack in Roblox’s chat system, where exploiters are able to fire a RemoteEvent in the chat system. As the string is too long and doesn’t fit the right parameters for the chat, the console will throw a warning. Factor the server processing strings of over 10k+ characters, throwing the warnings in the console, and the remote being fired multiple times within seconds, it takes a toll on the server, leading to worse performance on everyone’s end.
The marked solution in that post is to monitor such events being triggered, and if you notice something abnormal, to kick them. Here’s a server script that I’ve created to combat the exploit:
local characterLimit = 16384 --> Based on console
local counter = {} --> Counts issues from input
local counter2 = {} --> Counts issues from remote firing
local serverBanList = {} --> List of players banned from the server due to the exploit
local defaultMessage = "Abnormal activity was detected."
game.Players.PlayerAdded:Connect(function(player)
if table.find(serverBanList, player.UserId) then
player:Kick(defaultMessage)
else
counter[player.UserId] = 0 --> Number of times input would've caused an error
counter2[player.UserId] = {false, 0, 0} --> isTrackingCount, # of remotes sent by player in a second, # of "strikes"
end
end)
local ChatService = require(game.ServerScriptService:WaitForChild("ChatServiceRunner"):WaitForChild("ChatService"))
local eventListener = game:GetService('ReplicatedStorage').DefaultChatSystemChatEvents:WaitForChild('SayMessageRequest')
--> Detects if the message or channel inputs are abnormal
eventListener.OnServerEvent:Connect(function(plr, message, channel)
if counter2[plr.UserId] and not counter2[plr.UserId][1] then
coroutine.wrap(function() --> Start new thread so it doesn't wait for other "checkers"
counter2[plr.UserId][1] = true
wait(.5)
counter2[plr.UserId][1] = false
if counter2[plr.UserId][2] >= 7 then --> Arbitrary, feel free to change the 7.
counter2[plr.UserId][3] = 1 + counter2[plr.UserId][3]
if counter2[plr.UserId][3] > 1 then
plr:Kick(defaultMessage)
table.insert(serverBanList, plr.UserId)
end
end
end)()
elseif counter2[plr.UserId] then
counter2[plr.UserId][2] = counter2[plr.UserId][2] + 1
end
if not ChatService:GetChannel(channel) then
counter[plr.UserId] = counter[plr.UserId] + 1
end
if string.len(message) > characterLimit then
counter[plr.UserId] = counter[plr.UserId] + 2
end
if counter[plr.UserId] > 1 then
plr:Kick(defaultMessage)
table.insert(serverBanList, plr.UserId)
end
end)
What I’m doing here is having 2 “counters”. One for checking if the input the client is sending the server is abnormal, and another for if the remote is being spammed by the same client. If any of these happen and go over the threshold, it’ll kick the player, and put it on a “ban” list for that server instance.
As far as I’m aware, there’s no current Platform Feedback on this (if there is, do feel free to send me the link, as I’d like to see it). Regardless, it’s a major issue that can be resolved with a minor patch, and it’d be best to insert any sort of check or restrictions on abusing the remote in the meantime, if you believe your game could be the target of such attack/exploit.
