Recently, a game that I develop for has been getting shut down by exploiters. They claim to be utilizing a DoS attack - although I believe this to be infeasible, as Roblox operates on AWS, and is capable of hosting millions of concurrent players.
This raises the question, what ingame vulnerabilities would give exploiters the ability to do this?
We’ve tried:
Checking for backdoors - we’ve found nothing so far
Watching RemoteEvents & RemoteFunctions being fired by clients - nothing suspicious.
Here’s an example of the crash exploit being used ingame:
To determine if the crash was due to a script vulnerability, we got them to try and crash a empty baseplate. They were able to crash the empty baseplate - this doesn't seem to be a script vulnerability.
I can’t help but have to admit that the fact that these people can do such things is quite annoying, frustrating and frightening.
Who knows what they’ll do next. I was just thinking that maybe they were using the developer console, but if the game is FilteringEnabled, then this would make no sense. And I would really doubt they hacked into the right server just to annoy everyone. I guess I can’t do anything and just find ideas.
Only the creators have access to the developer console. Exploits such as Synapse provide access to a client-sided console, although this shouldn’t be an issue if precautions are taken when structuring the networking.
Hacking into the server isn’t a viable explanation for exploits on Roblox either.
I’m not an expert when it comes to networking, but I think Roblox might be “sharding” their AWS Servers or creating Virtual Machines for each Roblox game server. If the player limit for a server is low like 10 players per server, you don’t need as many resources as a 100 player server. If these hackers claim to be preforming a Denial of Service attack, they’re likely taking down a single game server by overloading it with high and stable bandwidth
I don’t think it is possible to DDos a roblox server, as that would take a lot of digging because they would have to find that specific server and take it down. So I wouldn’t believe anyone who says they are DDosing a roblox server. But don’t cross it off as who knows, a new exploit may have be found to easily take down a roblox server.
I don’t know why they have logs either lol But even if they didn’t, you could use a program like Fiddler to spy on all incoming and outgoing network connections
Cloudflare by itself does only protect against http attacks, however there is a service called Cloudflare Spectrum, which protects any TCP/UDP application that companies like Hypixel use, and Roblox being a company as big as it is I can totally see it being utilized.
I recently saw this post, about 2 weeks ago or so about DataSendKbps and DDosing/dosing. I saved the script he sent in one of my discord chats just in case if i needed it. If anyone could link the post that would be great! But anyways here’s the code sample I got.
Yes this is for a local script, but you could easily detect if they’re trying to delete the script with a server script.
local Stats = game:GetService("Stats")
local Players = game:GetService("Players")
local player = Players.LocalPlayer
while true do
wait()
if Stats.DataSendKbps >= 500 then
player:Kick("Stop trying to DDOS")
end
end
You can see hes UDP flooding the server itself if you look at his Putty console. This isn’t impossible to do, all you need is a good stresser that can UDP flood the server.
So looking at the output from GUCCI?? console. It seems to say “Broadcast instructions to 217 devices”. If that is the case then they are possibly using a botnet they have under their control to do a UDP flood to the VM that particular game instance is running on.
From what I understand Roblox game servers are all running on AWS. The IP in the client logs relates to the particular VM, the port possibly to the instance or the player on that instance. One physical host will be running multiple game VMs simultaneously using containerisation. You have to wonder if flooding one VM with traffic would affect others on the same machine. Probably not.
I would have thought they could circumvent a UDP flood by filtering the inbound traffic at the network layer on the VM instance (iptables?) and only permit traffic from authenticated clients playing on that game. Even better would be to back it out to the edge where they do the load balancing and script a rule at that point to maintain a list of players-to-VM game instance. If the inbound IP doesn’t match an existing player on that destination instance then discard.
I did see a load balancer engineer job advertised for Roblox and thought “Hmm, would be nice.”
You can’t thwart that with Afraid4Life 's client side script as the flood comes from sources other than a player client. Probably quite a few ways in which Roblox could stop this happening at the edge but it would need the tech to be aware of each player source.
Cloudflare is not going to stop it as it is such low volume targeting only one game instance. Just annoying to the people who made that game that is targeted.
Exploiters will always find a way on how to ruin or exploit games. There will always be those people and we cannot get rid of them. All what we can do is basically fortify ourselves and hope that the most experienced exploiters do not come to ruin our games.
But even if they didn’t, you could use a program like Fiddler to spy on all incoming and outgoing network connections