[DDoS Attack] "105: Serialized value exceeds 4MB limit", even tho it's nowhere close to there?


Once in a while, when a player joins it freezes the game for everyone in-game and when checking the console I get this.

I watched a tutorial how to compress your data and all that, but when I printed the JSON Encoded string it is nowhere close to 4MB (140/4000000)

Can someone tell me what’s going on? This is critical and we’re losing players because of the constant lag spikes.

Edit: Found out that allegedly, it’s a DDoS Attack on the game. It seems that occasionally, the whole server starts spiking ping into thousands and its a 50/50 if you get kicked with the “Please check your internet connection and try again”. Also, we know that there’s nothing we can do about it.


Apparently, it’s a DDoS attack on the game.

For now I would disable saving in your game or try find where datastore service is accessible via remote event or anything like that and try protect it

No remote event accesses the datastore, I made a specific script that detects remote spam even.
But I’ll suggest the saving disabling to the Lead dev, thank you

1 Like

Perhaps a remote accesses a value that the datastore automatically saves(for example inventory, pet names, etc.)?

The reason compression decreases it so much is probably because the payload the exploiter is using contains repeated patterns, for example, a huge amount of a specific character in a row.

I assume that if the exploiters use more sophisticated approaches such as generating random noise, they will be able to bypass the safety layer compression provides(especially if the algorithms they use to generate such noise relies on maximizing the string entropy).

Nope. There is no remote that is even involved with the datastore, everything is handled on the server.

Is there any auto saving aspect which will save when a value is updated

Are there any remotes related to user input that might write to data that saves in the datastore? For example, can a user set a name for something they own, or add a description to something, etc.?

Nope. In fact, this is the template for the data:
And everything is being handled on the server.

How are titles and title colors equipped?
Also, what’s the template of an item?

a Roblox game can be DDoS attacked?

1 Like

Every player has 2 folders, being “Titles” and “TitleColors”. There’s a bool value for each title/color, and there is one that is equipped which the value is true. Then in the template, its just the name of the color.

This is how it looks like (if the data were inserted)

Everything related to a server and a client(such as a Roblox game instance) can be DDoS attacked. All the client needs to do is take advantage of server-side code vulnerabilities related to client-server communication to send large amounts of data or requests to the server at once so it becomes stressed and can’t handle communication with other clients.


This is probably caused by exploiters that somehow pass fake title/color names to the server. Try investigating for that. They can pass them as a request to equip them, buy them, etc.

so someone is targetting the game then?
(sorry if my questions are dumb, i’m still learning)

The whole title system is managed on the server.

Supposedly, some member got mad that they didn’t get staff and hired someone to DDoS the game. But I don’t know how true that is.

1 Like

Yeah, but the core issue is the systems that accept the attack instead of countering it. That’s why all remotes should be rate-limited, sanity-checked, etc.

Basically, every time you create a remote event or function(those are ways for the client to communicate with the server and vice versa) you should ask yourself “If I were an exploiter, how would I take advantage of this?”

1 Like

I haven’t thoroughly checked the events and I will do, but as a temporary solution I have this made.
But it doesn’t seem to stop anything, but while testing on studio it seemed to work fine.

Edit: I’m a hired scripter, and looking at the previous scripter’s work, it’s clear that little effort was taken into protecting scripts.

This isn’t related to spam but rather huge user input at once(a very large string passed as a parameter). So you should search for remotes where that can somehow pass from the parameter to your player data and then your datastore.