Exploiters crashing my servers, cause unknown

Good to hear at least, but there will be many more, and you can’t be certain It’s the one used against OP’s game. Did you report it yourself?

No but we were talking about it in the dev forum regular discord. I’m 99% sure it’s the same exploit happening but can’t know for certain without knowing how it works.

I’d also like to take this opportunity to update you all that Roblox is actively looking into my game and I will get back to you guys with the results sooner than later.

I’ll most likely post a bug report and link this thread to it if the investigation finds nothing or @grilme99’s bug report doesn’t fix the issue presented.

Thank you all for the support, if you have any further ideas please let me know.

5 Likes

What if you put a script in the client and server that tracked literally everything the player does, from changing parts to sending events, to pressing buttons on keyboard, and sends it to a webhook?

Hey there I am aware of this vulnerability in your game. Contact me on discord if you would like a fix but I suggest you to keep it to yourself.

Josh.#8574 is my discord

Could you send me the script that you were able to create/modify to bypass it?
I’ve been testing this and it works, so it would be nice to be filled in on what you did to bypass it.

For the simple server-crash (the one that doesn’t take down all of your servers at once), what’s crashing the server isn’t the spamming of the welds. It’s the deletion of the welds. A smart exploiter who isn’t simply using scripts released online, knows this, and it’s up to roblox to fix. Even if you put up some sort of way to kick players or delete the welds, it wouldn’t do anything. The real problem is the replication.

Even if you kick the player, that’s still not fixing the problem of deleting the welds. As you know, you can’t delete an instance the exact moment it’s created, even via. ChildAdded, it’ll simply error, saying that something tried to parent the Instance to NULL as it was being parented to wherever. Thus, the welds are forcibly created, there is no getting around it. And even if you kick them, kicking them deletes all of the welds, crashing the server anyways, all an exploiter needs to do is instead of loop-spamming instance creation, create the instances perfectly simultaneously, and let the server frantically handle attempting to destroy all of the instances.

They simply create the 60,000 welds, then let the script run and drop them in the void/ or get kicked by the game, and no matter what happens, the welds are deleted and this crashes the server. The only solution is through roblox preventing its replication.

For the one crashing all of your servers are once, I can guarantee it isn’t a backdoor though, it’s been used on Stickmasterluke’s ‘Fencing’, which hasn’t been updated in years, and hasn’t been worked on by anyone else. Other than that, can’t give any more input on this matter.

@GetGlobals

6 Likes

My game is also having these issues, it’s causing heavy disruption. It seems to lag out the server and everyones game then freezes.

1 Like

Do all your servers crash almost simultaneously, and when you try to reconnect the server you see this blurry loading screen?

5 Likes

For the simple server-crash (the one that doesn’t take down all of your servers at once), what’s crashing the server isn’t the spamming of the welds. It’s the deletion of the welds.

It’s either one or the other. The patch provided with the weld crashing has stopped any and all attempts of crashing the server through welds.

Even if you kick the player, that’s still not fixing the problem of deleting the welds. As you know, you can’t delete an instance the exact moment it’s created, even via. ChildAdded, it’ll simply error, saying that something tried to parent the Instance to NULL as it was being parented to wherever.

Yes I am aware of the NULL issue.

all an exploiter needs to do is instead of loop-spamming instance creation, create the instances perfectly simultaneously, and let the server frantically handle attempting to destroy all of the instances.

That is a possibility but have you tested this yourself? Or is this just a theory?

They simply create the 60,000 welds, then let the script run and drop them in the void/ or get kicked by the game, and no matter what happens, the welds are deleted and this crashes the server. The only solution is through roblox preventing its replication.

They can’t instantly create the welds and drop them into the void, for it to work they have to parent it to their arm and the speed that they would need to clone and parent the welds would immediately get caught in the first place and I’m guessing if it was stopped and it was running with no yielding it would probably catch it between the 500-1000 mark.

For the one crashing all of your servers are once, I can guarantee it isn’t a backdoor though, it’s been used on Stickmasterluke’s ‘Fencing’, which hasn’t been updated in years, and hasn’t been worked on by anyone else. Other than that, can’t give any more input on this matter.

We were very confident that this isn’t a backdoor, but the information of it being used on the fencing game is new. But considering the input from the other posters it doesn’t seem a game being old comes in as a factor.

2 Likes

To verify the causing the server to crash anyway, could you join me into a Club Iris server and do it?
This isn’t me challenging you, it’s just me being curious at this point.

1 Like

They simply create the 60,000 welds, then let the script run and drop them in the void/ or get kicked by the game, and no matter what happens, the welds are deleted and this crashes the server. The only solution is through roblox preventing its replication.

Just a update on that, I tested this myself on Club Iris and instantly gotten kicked. I checked on the servers state and was running nominal with no hiccups.

1 Like

Felt like I’d make this public knowledge rather than making an entire thread (although I’ll probably end up going in to some more depth)

If you’re using admin commands you’re also at a high risk of your game being crashed, why’s this? Users can execute commands extremely quickly, and the amount of backend work that’s required for that to be detected is extremely intensive on the server, therefor it ends up turning the game off near instantly.

Adonis is currently the only script I’ve experimented with and created a patch with.

Just a disclaimer, I would recommend continuing to use Adonis if you already are, just be sure to fork it to add a delay to the commands (and make sure they’re not firing quickly)

Sorry if this should’ve been posted elsewhere but I felt it should be known while this thread has attention. I’m aware that your issue is welding but who knows. This may help someone else who is trying to find a reason for there game crashing and comes upon this thread.

3 Likes

Hi, everyone

In response to this, Club Iris currently uses a custom admin script with hardcoded moderators and administrators in the script itself. There isn’t any VIP commands or anything basically eliminating the possibility of command spam.

This is a good point though and I’m glad you brought this up, if anyone else is experiencing crashing issues I strongly recommend you write your own admin system and stay far from free modeled ones.

These admin systems have presented numerous issues in the past personally from what @NodeSupport mentioned, command spam & unwanted execution and on top of that vulnerabilities that you, the developer has no control over.

Be careful as to what you put in your game and if you don’t know how a script works, avoid using it or re-write it yourself. There is plenty of helpful posts and users on DevForum willing to assist you in doing so!

7 Likes

Would this possibly be your issue?

5 Likes

If you actually read the majority of the posts this isn’t weld replication abuse.

2 Likes

Sorry! I didn’t mean to offend anyone, just trying to help!

1 Like

If we set the network ownership of a Right Grip to the LocalPlayer then if the LocalPlayer tries to spam the Right Grip it won’t replicated to the server because it only replicates to the LocalPlayer which I think would crash them instead of the whole server.

1 Like

Again, I strongly believe weld spam isn’t the culprit in this specific case.

Moreover, I haven’t received any update on this issue in a while so hopefully it has been solved or at least alleviated. I will bump this thread if crashing occurs in the near future

Thank you all.

2 Likes

NetworkOwnership only works on BaseParts, and weld spam is highly unlikely to be the cause.

1 Like