The Furry Island by Furry Project 2, a fairly popular hangout game, has been experiencing a large number of crashes recently from an unknown cause.
The symptoms are an extreme amount of lag in the server, before the server eventually disconnects all players. Occasionally, I am crashing with no crash reason indicated in the ini file generated in the archive folder of ROBLOX logs.
The issue is caused by an exploiter, as a suspicious player will join the game shortly before the crash occurs ( generally an obvious alt, ) and in the case that they can be kicked before the server totally crashes, the lag will cease.
Listening to remotes (and disabling ones and such) have indicated no issue in relation to the events of the server, as tracking all remotes being fired/invoked shows no spam to any remote.
In the developer console, the scripts tab shows no server-side script activity that would be out of normal levels, but the memory tab shows a large memory spike in the “Replicator” section while the crashing is occurring.
Is there any known exploit going around causing this crash, or otherwise, any way that I can try to diagnose and patch it in order to stop the targeting that is currently occurring to this game?
What’s probably happening here is when the exploiter joins the server, they’re grabbing the server’s IP/port and then proceed to launce a DDoS attack. I don’t think there’s anything you can do scripting wise to solve this
Does your afflicted games use Adonis? TFP uses Adonis as well.
I get the crash message on occasion. Check your logs at %localappdata%\Roblox\logs\archive and tell me if the INI files contained in there have a CrashReason included (near the top of the file.) Mine do not.
As @mew903 said, this is most likely caused by a DDoS attack. I’ve noticed that while you can’t send request from the client to a web sever, you can do it in reverse. This thus causes the game server to eventually shutdown. The main reason this happens is due to how the firewall is setup. The server will allow all requests in and out. This fix is to only allow requests out. Now, this may break a lot of games, so it is not the highest solution. The best solution would be to make something like Cloudflare to protect servers from DDoS.
DDoSing games isn’t new, it just became more popular. The only way to stop it really is to disable HTTP requests from the server.
The problem with that is directly DDoSing a ROBLOX endpoint is very unlikely. Generally, what happens is that the denial of service is performed through the game endpoint level where some piece of code running on the game server, either by ROBLOX or the game developer, is used to take down the game.
Additionally, this specific case can not be caused by a traditional DDoS attack, as the game server does not experience any issues when the problematic players are removed, as described by the third statement in the original post. If this was a brute DDoS attack against a ROBLOX endpoint, this would mean that the game server would crash regardless of the status of the problematic player in the game.
If I find other exploits that can crash servers, I will report them immediately, currently the ones that work right now are going to being patched very soon.
For my game, players don’t need to be in the server for the game to crash. Users also has enlightened me that people are ddosing the server and want robux for it (ransom) for the acts of terror to cease. As you can see here they can somehow obtain all the server’s ip’s.