I have questions on how I can implement a couple features while keeping them safe from exploiters.
My game involves weapons. Currently, I’m performing raycasts on the client and only firing a remote to the server if it hit something.
The first thing I’m stuck on is how I can make sure the server knows about every shot fired. I would fire a remote every time the player takes a shot, but I’m aware that exploiters could just stop firing it, thus making the server think that they never run out of ammo.
How can I make sure the server knows about every shot a client fires without opening up a vulnerability?
Another problem is calculating the player’s ping. This topic suggests sending the client a random number that they must return, preventing an exploiter from faking a ping lower than their actual ping. However, I also need to make sure an exploiter doesn’t wait before returning the number as that would make their ping seem higher.
How can I calculate ping accurately while preventing an exploiter from spoofing it?
A smart exploiter can spoof their own ping independent from Roblox (take lag switching for example) so you can’t really do anything about this. Your solution will be circumventable.
Your current logic is that you need to know when the client fires. That’s faulty logic. The correct logic is that the client has to request the server to fire (i.e. shooting raycasts / target check). The client won’t fire anything unless they ask the server.
In my particular case, I want to penalize players for missing a shot. I understand what you’re saying, but I don’t know how to prevent an exploiter from requesting to fire only when they know that they hit something. If they do that, then the server will never know about remaining ammo or missed shots.
I don’t think I explained this well. Currently, the client performs a raycast when their weapon is used. If they hit something, then they tell the server the shot’s origin and direction. The server then checks if the origin is reasonable before performing its own raycast to see if something was actually hit.
Do the raycasting on the server, and only the server, and send the result to the client. That way, they can’t fake a hit.
Get as little data from the client as possible - if the casting can be done server-side, do it server-side. You can get the character’s position, their tools, etc. from the server.
You have to know that the player tried to take a shot i.e. you send your origin and direction to even know that they missed the shot. You’d raycast and see they hit nothing and therefore they are penalized.
If they decide to block signals and make it send nothing, then their shots just do nothing. Think of it this way, is a bullet that does no damage a “missed shot”? Or is it a bullet that could have done damage but misses, a “missed shot”? That’s what I am talking about. (assuming you do all projectiles on the client but not the damage)
I understand this, but what I’m asking is whether or not an exploiter can perform their own raycast before sending it to the server and only tell the server to fire a shot if their own raycast hit something. The exploiter could perform as many raycasts as they wanted, and only tell the server about the ones that hit their mark.
Thank you for your reply, but my problem is not about faking hits; I am already performing the raycasts on the server. Please look at this reply for my question.
Yes, they can. This is why aimbot is usually difficult to patch because you have to discern good players from exploiters.
There’s a research paper online that entails using AI to solve this problem which relies on the fact that hackers in FPS games have inconsistent performance.