Last night it came to my attention that exploiters were capable of avoiding my game’s ban system. One of exploiters abusing this exploit told me that they were forcefully desyncing their client from the server by using the method SetOutgoingKBPSLimit under the NetworkPeer class/NetworkClient Service. My ban system caches each ban, stores the ban data in a DataStore, and then uses MessagingService to have all other servers store the ban in their caches as well. I use promises to handle updating and getting data to/from the DataStore. How should I go about fixing this?
2 Likes
Enhance the ban system to detect and handle desync(s) You can also enhance the ban system to detect and handle cases where the client becomes desynced from the server. For example, you could track the state of the client and server separately, and compare them to detect when the client has become desynced.
1 Like
Sweet, thank you! I will try that ASAP.
Coming back to this - do you have tips on how to do this? Should I fire a remote to the client to ping the client and if a ping isn’t sent back for a certain amount of time, consider desynced? Or should I check their ping on server?
Yes using a remote can be helpful, It’s one approach.
using a remote event to send a “ping” message from the server to the client. The client can then respond to the ping by sending a “pong” message back to the server. If the server does not receive a pong message within a certain timeframe, it can consider the client to be desynced, as i said this approach can be useful because it allows you to track the connection between the server and the client in real-time.
2 Likes
Thank you so much! You’ve helped me from panicking lol! I will get back to you once I finish up implementing this and see how it goes.
1 Like
So seems it’s working! It seems I’ve fixed the ban bypass and the ping/pong system has helped a bit. Thanks a lot!
Hey, just a little lost here, the “ban” system is on the server right? How can an exploiter “avoid” a ban if the said system forcefully disconnects the client from the server?
That said, I am also slightly conserned about the technology used, why are you publishing things from MessagingService at all?
Is the datastore essentially a big table containing a whole bunch of user ids?
Why not save if the player is banned where their player data is being saved too?
Just curious, you’ve already had a resolve so there’s no need to reply to this! 
The ban system is 100% on the server, yes. MessagingService was used so that each server can write ban messages to the chat (for those who report the offending user and the ban occurs on a different server.) Before I had it delay the kick to show off a ban effect, I don’t know why I did this and I believe that’s what might have allowed them to bypass the ban using the function said in the post. Now the ban system immediately kicks the player, destroys the player instance, and sets the player’s parent to nil. I probably don’t have to do that but my paranoia made me take the extra steps. Please inform me if I don’t have to take those extra steps. I’ve already tested the new patches and my accomplice was unable to bypass the ban. The DataStore does save if the player is banned, length of the ban, and the reason with additional keywords if we ever need to rollback bans.
1 Like
Ah yeah I was getting confused, this is a totally viable method for using MessagingService
I thought you were succeeding datastore with a cache’d ban list and updating that list (this could lead to bypasses as it’s a little faulty.)
As long as you call :Kick on the players instance and do not let the client control any factors which may get in the way, you should be fine.
1 Like
Sweet, thank you!
charssssssssssssssssssssssss
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.