Can someone tell me what’s going on? This is critical and we’re losing players because of the constant lag spikes.
Edit: Found out that allegedly, it’s a DDoS Attack on the game. It seems that occasionally, the whole server starts spiking ping into thousands and its a 50/50 if you get kicked with the “Please check your internet connection and try again”. Also, we know that there’s nothing we can do about it.
For now I would disable saving in your game or try find where datastore service is accessible via remote event or anything like that and try protect it
No remote event accesses the datastore, I made a specific script that detects remote spam even.
But I’ll suggest the saving disabling to the Lead dev, thank you
Perhaps a remote accesses a value that the datastore automatically saves(for example inventory, pet names, etc.)?
The reason compression decreases it so much is probably because the payload the exploiter is using contains repeated patterns, for example, a huge amount of a specific character in a row.
I assume that if the exploiters use more sophisticated approaches such as generating random noise, they will be able to bypass the safety layer compression provides(especially if the algorithms they use to generate such noise relies on maximizing the string entropy).
Are there any remotes related to user input that might write to data that saves in the datastore? For example, can a user set a name for something they own, or add a description to something, etc.?
Every player has 2 folders, being “Titles” and “TitleColors”. There’s a bool value for each title/color, and there is one that is equipped which the value is true. Then in the template, its just the name of the color.
This is how it looks like (if the data were inserted)
Everything related to a server and a client(such as a Roblox game instance) can be DDoS attacked. All the client needs to do is take advantage of server-side code vulnerabilities related to client-server communication to send large amounts of data or requests to the server at once so it becomes stressed and can’t handle communication with other clients.
This is probably caused by exploiters that somehow pass fake title/color names to the server. Try investigating for that. They can pass them as a request to equip them, buy them, etc.
Yeah, but the core issue is the systems that accept the attack instead of countering it. That’s why all remotes should be rate-limited, sanity-checked, etc.
Basically, every time you create a remote event or function(those are ways for the client to communicate with the server and vice versa) you should ask yourself “If I were an exploiter, how would I take advantage of this?”
I haven’t thoroughly checked the events and I will do, but as a temporary solution I have this made.
But it doesn’t seem to stop anything, but while testing on studio it seemed to work fine.
Edit: I’m a hired scripter, and looking at the previous scripter’s work, it’s clear that little effort was taken into protecting scripts.
This isn’t related to spam but rather huge user input at once(a very large string passed as a parameter). So you should search for remotes where that can somehow pass from the parameter to your player data and then your datastore.
