Developers are not equipped to deal with exploiters

I feel that my post that I made back in February of 2018 would hold some valuable discussion around various types of bans and such;

How there is still no sort of system for this is baffling to me.

17 Likes

On July 1st we pushed a sizable update to our game and transitioned from paid access to free to play. In the one month we’ve been F2P we’ve racked up:

  • 6 million visits with an average player count in the ~2500 range (higher at launch)
  • 2,964 moderator issued bans (~40% assisted by user reports)
  • 25,342 automatic anti-cheat bans at a rate of ~817 per day

Keep in mind that these stats represent our first month after a major release. We expected them to be high. Trying to sample parts of our data to get a strong guess at our monthly ban count moving forwards still gives us a huge number of bans.

It is exhausting and demoralizing dealing with exploiters all the time. The enjoyment I get out of developing games on Roblox doesn’t even start to outweigh the burnout myself and my moderation teams suffer through. It’s so much larger of an issue than just an anti-cheat problem and it never feels like any meaningful progress is made by Roblox to assist developers with these issues.

All the security work in the world won’t make up for the fact that I can’t even keep a person out of my game let alone report them to the platform they’re breaking the rules on. I’m tired of kicking individual accounts after they join. I want to ban a person from my game because I caught them cheating, and I don’t want them coming back or even being able to press play. I want these people to have real consequences for their actions. I want the effort I put into my anti-cheat to not be totally undermined by a social platform that only has one developer facing moderation tool (with outdated docs and no tutorial for making the ban system the docs refer to).

I understand that there is no actual way to keep people from getting around a ban but quite literally anything is going to better than the current nothing we have to work with. Ban evasion getting harder and harder to pull off implies less and less people ban evading. As a developer I’d much prefer to manage a lake instead of an ocean.

There is often a lot of general advice thrown around in anti-cheat and exploit conversations. The sage “Don’t trust the client” tip, securing your remotes, do physics checks, so on and so forth. It’s all great advice and well worth following but it doesn’t change the fact that we are limited in our ability to actually combat problems with our experience. I’m not advocating for increased trust levels for developers, I’m just stating that this is a problem developers are stuck with. We have a by-design disadvantage when it comes to dealing with exploiting problems.

If developers are going to be hand-held when it comes to what we can and can’t do with this platform, then Roblox needs to have a far bigger presence in assisting with serious exploiting issues that developers cannot properly deal with.

155 Likes

I wonder what ever happened to community management tooling that was announced at RDC21? I feel like this could be a great starting point given how prominent groups are used today for hosting communities and experiences. I don’t think it’s merely enough but already a large majority of creators on the platform would significantly benefit from this alone.

There is already an option to restrict play access to group members. Although it does restrict a number of options like having private servers for whatever reason, group bans would still provide a good impasse to joining the group and by extension the experience(s) hosted in said group. Open Cloud APIs could help facilitate this process by issuing a group ban if a user is banned in-experience. At the very least, we still have to build our own tools in this case but now we actually have a means of issuing a real consequence to a bad faith actor.

Like I mentioned in my previous post here and the above post, having a way to employ real consequences for bad behaviour would be a saving grace for myself, my team and my communities. It can really change the notion that developers don’t do enough to combat exploiting in our experiences (we do, but they don’t know Roblox holds our hands and then proceeds not to even give us adequate assistance in a very real problem they acknowledge).

Additionally, I like the analogy above about dealing with a lake rather than an ocean – I couldn’t think of a better way to phrase it. I hate having to think about exploiters constantly and butcher so many core features in my experience because some people relish in ruining others’ entertainment. I hate that there isn’t more clear priority to this issue - and by priority, I’m not talking about what Roblox already does, but rather what they don’t. Roblox can only do so much with the client. We can’t be robbed of a pivotal management aspect of our experiences and be left stranded with no tools to use besides applying our own knowledge to the “review your own code” advice that’s simply regurgitated ad nauseam on anti-exploit threads.

19 Likes

I am with you up until I saw “User with the kick lower-ranked member permission will also be able to ban users from a group”.

If you’ve ever had a group in the last decade or so, kick and ban are very different things. Seeing them merged into a “catch all” is dumb.

If someone were to be in your community and be given that permission, you could hit a few endpoints and ban every user from the group.

Keep ban and kick as separate permissions. This way it’s easier to have some sort of damage control when things go wrong. I can think of a bunch of groups that would be hit by this and people actively abusing the feature.

Still doesn’t really positively affect this post though. A similar system would work. It just needs to be able to be easy enough for developers to employ in their games.

It could be as simple as a :ban(userid) that gets sent to an internal datastore and developers can have the option to unban by clearing an entry out.

As far as the exploiting problem goes, this will help mitigate people but, the majority of kids simply don’t care and will make a new account. Very few people exploit on a main account. Most do it on an alt.

10 Likes

As developers, we don’t have any tooling to deal with bad actors, period. If someone gets reported using the Roblox report system in my game, I would like to know who the reported user is, when they were reported, and the reason. I am not comfortable bringing my users to third party chat websites to report users because the majority of my player base is under the age of 13.

3 Likes

There are games on steam that have to connect to this application where if it detects another sort of injection or application assisting them, it won’t let them play. But Roblox can just imbed this kind of system inside their application, and it’ll be all fine.

I feel like another issue is exploiters able to delete body parts or anything in their character and have it replicate to the server. That’s extremely scary for games that aren’t too popular, since it can break lots of server scripts. I also wish that body objects didn’t replicate to the server, so that exploiters wouldn’t fly, and it’d just be jump power and speed hacks to deal with.

This all can be fixed by an application detection system to see if there’s something out of Roblox communicating with them.

1 Like

Roblox has some very in-depth alt detection code where it tries to pull as many unique identifiers from your machine to figure out who’s playing said game and if it’s an alt

It would be really powerful if developers could use this alt detection with a Ban method, which bans the account and all associated alts from a game.

Obviously, it wouldn’t be perfect, but it’s up to the developer’s discretion on whether to use it or not, and it would probably work more times than it fails given how in-depth it is.

Moderation even outside of exploiting is ridiculous, if your game gets targetted by spam bots, even though its likely coming from the same IP address or machine, we physically cannot do anything to stop the accounts joining.

17 Likes

It’s a bit tone deaf to reply to a post more to do with moderation tooling to handle cheaters than it is about the technical aspect of anti-exploiting. The issues you mention are separate topics worth separate feature requests or, if possible, solutions that can be implemented developer-side.

I feel like the problem isn’t so simple as “install this and that and all will be fine”. No such catch-all exists be it technical or customer support/moderation related. Anything done on the application side is client side. What we’re asking for is tooling to deal with cheaters themselves and their ability to play and ruin our experiences without meaningful consequence.

8 Likes

As a Roblox developer, it is currently too hard to moderate your game. There’s a huge hole for banning, verifications for banning, and unbanning. :Kick() isn’t enough, you can’t kick them or ban them from out of the game. If they’re offline. You can use a table full of user ids, but those get bulky and are hard work maintaining them, since every day I get like 20 exploiter reports probably.

If Roblox is able to address this issue, it would improve my development experience because I would be able to hire moderators extremely easily, with just a simple feature: the Game Dashboard.

There are a few other solutions I must discuss before this, and that’s a couple new functions: The :Ban() and the :BanOutOfGame() function. They do exactly what you’d think they’d do: ban them if they’re in-game or ban them if they’re out of game.

Now, when any of these new kicking functions run, it sends a message to the Game Dashboard saying something like, “Moderator rubixxman banned HackerAlt123 for fly exploiting.” There would also be an option to revoke these bans too.

In case a moderator is going beserk, you can demote them and choose to kick or ban them from the game (both would kick them but banning would not let them come back).

When trying to join the game when banned, you can get met up with a custom kick message set in the Game Dashboard that can say something like, “Appeal in the Discord server” or something.

I almost used a suspicious Discord webhook to hook up ban messages to my Discord server, since Discord blocks Roblox requests, but I realized that Roblox should add a feature where the messages go to THEM.

Now for some backstory

All my moderators joined a clan that the demoted community manager had made, and I’m left with only two moderators (including myself. Though me and the only moderator left hardly ban people). If Roblox were to add this, it would be a complete lifesaver since I’d be able to hire moderators again. But in the meantime, I cannot since they can be teaming with that dangerous clan and just backstab while I’m sleeping, and I’d probably wake up with no players in-game. My game currently has a concurrent player average of 400, yet exploiters are everywhere.

So please Roblox, if the Game Dashboard were added, this would LITERALLY SAVE MY LIFE!!! PLS ROBLOX LISTEN!!!

12 Likes

To prevent API bloat

Ban should take a userid and then work dynamically based on their state

The reason a Ban method would be useful is that Roblox could tie it into their alt detection system and prevent any alts of the same user entering the same game.

The fact this doesn’t exist when its got more positives than negatives.

11 Likes

Sadly, there’s devices to block your IP address and device, so there’s no way to stop alts. I believe it should be harder to make alts in a way, but all I thought of was mandating an Email. But I guess people spam creating Emails happen, so if that happened it’d just put extra security onto everyone. I genuinely thought that Emails were hard to make, but nope I guess not lol.

1 Like

There are no tools that “block your IP address”. There are VPNs, which are limited. IP bans work in practice, I utilize them frequently in non-Roblox games. VPNs have limited IPs. When someone is dedicated enough, they exhaust them. When they’re not, they’re not playing your game. Plus, the barrier of using a VPN already eliminates more than zero people (in fact, a lot more than zero people), which gives it added value.

6 Likes

Yes, but I have a sneaking suspicion that Roblox needs another type of “injector” to play its games and I know this from the fact that when you open task manger there are 2 Roblox applications open so my logic is one of them is some sort of injector and the other is the game

So if they banned injections then they might also be banning the own injector, which again is a guess but I don’t see any other reason

Which Roblox already has in the form of a DLL injector detection system, which is required for exploits. I’m not sure how it works, but it seems like Roblox manually gives it the DLL file hash of known exploits every update, which makes it very easy for exploits to bypass it.

According to the latest release of rbxfpsunlocker, it is related in some way to security, presumably to DLL injection in specific;

// Roblox has a security daemon process that runs under the same name as the client (as of 3/2/22 update). Don't unlock it.

(link)

1 Like

While there can be some workarounds to the players being able to enter the game after he was already kicked, like a code to check if a player is banned and prevent him from entering the actual playable server until he is clear, or stucking him on a “You are banned for …” screen, this feature to prevent even players from joining could really be useful and doesnt seem like even a bit hard for roblox to implement. Currently you have to code so much for something that might even annoy honest players, and that could easily be replaced with something simple like BanService:BanPlayer(userId,releasedate,reason(string)) and BanService:UnbanPlayer(userId).

How will that change with a built-in ban message? You’ll probably already have a datastore script in your game, adding a value and an if check would be pretty simple. And how does a built-in ban message stop honest players from being annoyed at false bans?

I meant that instead of making a waiting server to send non cheaters to the actual game and keep exploiters from doing a minimal damage just by the few time he enters, you could just have a function to block his capacity to click play.

Is there a way for hackers to instead of getting to the core files they screenscrape meaning that they are doing a legitimate process that a honest player would do but its just a bot, and if yes would there be a way to detect that?

Not the right thread for that. A lot of responders to this thread, despite being outlined in the original post and replies, have the misconception that this is about the technicals and development of anti-cheat in experiences. This thread isn’t about that, it’s about the lack of tooling given by Roblox to deal with bad faith actors meaningfully. Help developing anti-cheat should be asked in Scripting Support.

It helps keep the thread clean and focused when we continue to discuss Roblox’s lack of developer tooling for dealing with bad faith actors so they sufficiently know what our real problem is - not that cheaters exist at all and all the different ways we can attempt to combat cheating in-house with various systems we develop, but that we need serious attention towards granting developers real power to sufficiently moderate our experiences. Real moderation tooling and developed anti-cheat in experiences are not the same thing and the latter is strictly limited in scope.

8 Likes