Hi, I’m currently working on a PvP shooter game. My problem is that it’s extremely vulnerable to simple exploits. When you shoot someone, it generates a ray and checks if you hit someone, then sends hit to the server in a RemoteEvent. I tried having the server make it’s own validation ray from the shooter to the victim, but the delay is too long and it would fail 80% of the time. How do games like Phantom Forces solve this?
3 Likes
In a frame-sensitive game such as FPS, you want to get that hit detection to the server as fast as possible. This could mean scrapping hit detection on the client completely.
On shoot, fire to server with the position from which you fired from and play local feedback animations/FX immediately.
Server receives information, and does a quick distance check to ensure the remote is not fraudulent (check character position vs the given position)
Server creates ray and handles all hit detection from there. Rays are very inexpensive and should not cause any issues on the server.
When done correctly the round trip time should be very short for actual client damage feedback (hit marker, damage popup, etc). ~100ms is easily achievable with a decent client-server latency.
4 Likes
In addition to this, to give the player the illusion of their shots hitting, handle the hit detection client-side too, so you can give them feedback such as enemy health bar changes, hit markers and blood particles immediately.
You may think this is lying to the player, and in a sense you are, but unless a player has pretty bad ping (or if they are a hacker), this should be perfectly fine and just adds to the experience.
1 Like
You got two suggestions to do hit detection on the server. It’s certainly a solution, but I don’t like it. I hate having to lead my bullets some mystery distance in front of my enemies based on my lag. I just hopped into a jailbreak server to see what a typical ping is for me, and I got 150 ms. This would be a bad experience.
If you trust the client, you’ll give your players a better experience. If a player shoots from one location to another, send the ray to the server and you can check if it’s reasonable (that is, whether the two players are approximately at each end of the ray, and whether there was any anchored obstruction in-between them).
Aimbots will still be a pain (they’ll be a pain no matter what). Consider adding:
- Vote to kick
- Dedicated servers for cheaters
- Spectate mode, so you can see in first person what a player is doing (humans are good at seeing cheaters)
- More sophisticated detection, e.g., is the player snapping to their targets very fast; are they achieving unusually high hit percentages, etc.
- Aimbots for all players, so positioning and teamwork matter way more than aim.
I did a quick look around the internet to figure out how different games do it. I know TF2 and Overwatch both use client-side detection. I think BF4 uses server-side, but I couldn’t find anything explaining the system and instead found people just complaining about the hit detection, so make of that what you will, lol.
4 Likes
Games won’t usually say what their anti-cheat is Server-Sided as cheats can take this information to their advantage. You can’t make an exploit based around an anti-cheat if you don’t know what the anti-cheat is.
You could create a visualization of the shot/hit effects on the client as you don’t need the server approval for that, if the player hit the target, fire a RemoteEvent and make an check to confirm the hit. for players with high ping you could assume a bigger hit box and damage the target only if the hit was within a few studs out of the target base point.
Even if that method will fail sometimes, it wont affect the gameplay.
As for aimbots, there is no way to guarantee a patch. Though, you can hide some codes in the client to detect unusual behavior.
no no no no no no no (no)… no
Trusting the client is a VERY BAD THING™. The presence of latency in a game using the client-server model is a well-known problem, and “just trust the client” is generally not considered a good solution. Here are some articles/papers for reference:
Glenn Fiedler: What Every Programmer Needs To Know About Game Networking
John Carmack discussing QuakeWorld’s networking model
Yahn W. Bernier: Latency Compensating Methods in Client/Server In-game Protocol Design and Optimization
Now, this stuff is hard (and involves dealing with time-travel nonsense), and the techniques described really have to be tweaked for the particular game mechanics in question. However, they solve the problem without resorting to trusting the client, and they have a strong theoretical foundation
3 Likes
You can do client-side hit detection and server-side verification. That way, you get the best of both worlds, for a bit more work (depending how rigorous you do the server-side verification). Having no checks at all on the server is bound to end in tears.
Overwatch uses a model where they run the entire simulation of every player on both the server and the client, and then the server corrects the player when they are doing something that desyncs them enough from the server’s simulation.
3 Likes
Yeah, I did try to explain in paragraph two a decent way to verify server-side that the results are sensible. You shouldn’t just blindly accept a message from the client saying “I dealt this much damage to player X”, but I think the act of hitscan checking should be done on the client. Otherwise, people with a ping of 200 are at a severe disadvantage to those with a ping of 50.
3 Likes