Game crashing, blackmailed by "exploiters"

I’ve recently been having this group of people known as the “Bakyl” family / bloodline on ROBLOX threaten me and my staff team. Demanding we pay them money in order to “stop their attacks.”

I obviously do not cave in for exploiters or anybody else looking to do malicious damage to peoples assets in order to blackmail them into spending money to stop the attacks. However I am a bit lost on how exactly this is happening; I cannot think of a single remote event that could be causing this - so I’m wondering if this may be an Engine Bug and if anybody else has been having similar issues.

During the attack:

Screenshot_1431315×915 911 KB

As you can see the FriendService is being spammed out - making me wonder if this is an engine bug.

After the attack:

Screenshot_1451289×678 673 KB

(It does not show in the screenshot, but there was no influx of FriendService requests being processed, just normal ones.)

This here is a screenshot of a “panel” they sent to one of my staff members, as I do not communicate with anybody directly besides my own staff:

Screenshot_1461080×422 187 KB

As seen it showed some sort of IP address in alleged relation to our game; however I just don’t believe that ROBLOX’s servers are easily vulnerable like this. So I figured its a decoy to try and divert us from looking into the real exploit. I thought it was worth mentioning in this post however.

Game:

From what I have experienced, the “crashes” have been non-stop. But they don’t even seem to be full crashes, just enough to lag everybody insanely to the point they leave the game. Then once the attack stops, the server goes back to normal but begins handling a bunch of requests again.

UPDATED NOTE:

Even though they sent my staff a screenshot of the panel I have uploaded here, it appears they need to be in-game to do these attacks. So I have no reason to suspect it’s an actual DDoS attack.

If they are in a group, just check if a player that joins is in that group and kick them.

This is another screenshot they sent in regards to their “system”

Obviously doing that won’t do anything as they’ll just use alts, we have applied an alt ban script with a longer age limit then usual during this time. However they clearly know what they’re doing an have an absurd amount of alt accounts with an age of a year +

This seems like a simple backdoor with a script that creates thousands of parts to lag you, in this case you should look thoroughly through all your scripts, if there’s part of a script that appears very condensed, long, and impossible to read then you should delete that part and see if that fixes anything, as well as this, it’s probably one of your developers putting this backdoor there. In that case one by one you should take away their permissions to edit the game and see when the attacks stop.

Try looking up the ip addresses. They could be from some ip address generator.

Pretty sure they didn’t block it out, the exploiters did.

No I blocked them out to avoid breaking any ROBLOX ToS - I will try that, there’s no chance of there being a backdoor. Everything in our game was commissioned out or made by me directly. I always check commissioned work before adding it into the game as well.

I searched back the IP’s, and they do indeed register back to ROBLOX.

I’ve written a Discord bot similar to this for education purposes. Let me explain how it works:

The Roblox API has a link where you can join games (https://assetgame.roblox.com/Game/PlaceLauncher.ashx?request=RequestGameJob&placeId=id&gameId=gameId)

That will respond with various information, but the important information here is that it has “MachineAddress” and “ServerPort” in the header response, which is an IP address and port for the Roblox server running the game instance.

They then use an API with a botnet to then DDoS that server with the port, and use the method “roblox-down”.

Unfortunately you cannot do anything about it I believe, but one thing that has been a roadblock in my bot is if the place is full, it cannot send a join request as the game is full, so it cannot get the joinScriptUrl which gives them the info they need.

Also, having a game hub (where you go into a hub that lists all the servers, and use ReservePrivateServer to teleport them there) should stop most of them.

(Here is a preview)

UPDATE JULY 2022:
The aforementioned API has been removed. The functional API being used by DDoS’ers is: https://gamejoin.roblox.com/v1/join-game-instance

Here is a simple GitHub repository that can make it easier to understand: https://github.com/recanman/RobloxServerGrabber

Do you happen to know any good tutorials on making a Game Hub? That seems like the only ideal way to address this issue until ROBLOX figures it out.

I can actually do it for you, if you’re willing to pay a small amount of robux / USD. Or I could do it for free. Your choice.

My recent Discord account got compromised and disabled, so here is the new one: recanman#9884

Well, what Roblox has been doing is “beefing” (increasing the amount of power) their servers, but it seems the botnets have been increasing their power too.

You cannot “patch” a DDoS attack, as the IP is public and requests can be sent very easily. What CloudFlare and some ISP’s do is that they filter out the packets before they get sent to you, on their level.

Let’s break bread - I am “er”, sent a friend request.

You also have no reason not to believe that Recan is not one of the very same people who was attempting to blackmail you in the first place.

I’m fairly new to Roblox, but from what I’ve gathered is that they give you very little if any control over the packet transfer layer of the engine. Meaning you can’t control which packets are sent/received, how they are read, treated, dropped, etc…

If you DID have access to this kind of stuff, then what he says about this not being preventable is completely false as you can use sanity checks for this sort of thing. If your server receives more than X messages in Y time then you can be pretty certain that this is an attack and you can simply open a thread to process/drop all of these dummy packets and ban the ip that attempted to send them. The problem is they’re most likely using proxies or worse a public facing proxy like a university campus or similar meaning if you did just block the IP you’re also preventing all players from that campus from playing as well. Which is a bummer but you kind of just have to deal with that and handle the “hey i can’t connect” requests from actual players in that area via whatever support channels you have setup.

I know none of that probably applies here if roblox gives you no networking control but I think for this reason and many more it would be great to have SOME basic level of interaction with the packet protocol layer for this and a ton more reasons.

My game and group have also been experiencing extremely similar attacks for the past few days to our game during peak hours from the Bakyl family or at least splinters of them (that screenshot of the panel is nearly identical to what we were sent as well as the person who is making demands is closely associated with the Bakyl family) and demanding we pay them money. We have confirmed that it is a mixture of both actual DDOS attacks as well as traditional exploiters, however regular exploiters are typically easy to deal with as you simply ban them and alts.

For the DDOS attacks, I have learned that what they do is either grab the IP of the server (even if they are banned) by joining for a split second they are able to snatch it, then commence their attack against the actual server itself with an external program or botnet. Additionally, I’ve heard they sometimes use a cookie to send requests without even joining with a player account, then they are able to grab the IP information and then start an attack.

The solution I am most likely going to implement is probably a “lobby” or “hub” place, which is basically a one player starting place, where you can then teleport to the main place from. With this system in place, you are able to ban problematic accounts and they do not even get a chance to join the real server with players in it, thus not giving them a chance to see the IP. Alternate accounts to get around a ban can always be a problem, but implementing a 30 day age limit and (unfortunately) manually banning alternate accounts should fix things.

That is the same exact person who is attempting to blackmail me into paying him money and contacting Roblox obviously lands on deaf ears. It is an actual DDOS botnet attack. I really wish Roblox had a much more solid infrastructure for their servers, the vast majority of mainstream websites and servers almost always have some form of DDOS protection.

Giving players more control of the network would be chaotic.

Ironically, there are dozens of vulnerabilities in their packet protocol (Raknet), which can crash the server from the client.
These bugs still and always will exist. Exposing it or offering more control would make network hacking even worse for ROBLOX.

I’ve never heard of other game engines offering control of the network at a packet level. It’s very risky, and there’s a good reason ROBLOX tries to hide most of it.

Also, as soon as you block their IP, or their host, the hacker will just switch proxies, or use a different host.
There’s really nothing that can be done about DDoS exploits.

The best we can do is wait until ROBLOX patches the root of the problem, when they figure out the DDoS tool that just got leaked

I thought DDoS-ing Roblox servers are impossible, aren’t they under a proxy?

Well, with due respect, I just cannot agree that other engines don’t offer up packet control. In fact, Roblox is one of the very few platforms I’ve encountered that doesn’t expose socket creation/control at some level. This is coming from 15+ years of game development across multiple smaller engines as a hobbyist and 12 years under various consumer facing companies both minor and major. (Though admittedly, the latter is hardly applicable here.) The big current “free” engines being Unity, Unreal, and GameMaker all offer some form of socket management. Heck even RPGMaker has enough plugin support to hookup to node.js/socket.io.

BUT I will relent that they also don’t exist as the same form of “community of creators” that Roblox does. So in that sense, I do agree letting a bunch of children grab the reigns of the socket layer would no doubt be chaotic, as you put it. There’s no argument from me there. Especially with how Roblox operates taking a sort of pseudo-publisher stance and taking the brunt of the responsibility for the games their user’s create, it probably isn’t wise for them on a number of levels to do this.

But DDOS attacks can be and are dealt with on a daily basis by thousands of companies world wide and it’s certainly not by banning each IP that causes the issue. If this weren’t the case then all of the large tech companies wouldn’t stand a chance. Don’t get me wrong, scaling up the bottleneck helps, but it’s definitely not the only solution to the problem. You can take a look at several discussions on DDOS solutions with a simple google search so I won’t derail the thread into the in and outs of how or why.

(I guess I should also clarify that there is no STOPPING a DDOS attack. They’ve been around since the darkages of the internet and are still around for a reason, they work. But that doesn’t mean there’s nothing that can be done for prevention, damage control, and retaliation.)

I just definitely can’t see eye to eye with many of these statements, especially saying that offering more control will make network hacking worse. How would putting more tools in the hands of the developers making the exploited software make things worse? They’re already being exploited? If the best defense people have right now is trying to HIDE an IP address, then I think that’s about exactly as much defense as trying to hide your home address from a potential stalker/threat. It would be nice if we could at least set up some fences and cctv’s around the perimeter…

I’ve done plenty of research since this has become an issue, only to discover that even a “hub” system can still be vulnerable. There is still another way of manually fetching the IP without just the casual API bot allegedly.

This was forwarded to me from one of my staff members who is actively communicating with one of the previous head-guys behind this operation:

I thought i’d make this as I see a lot of misinformation regarding games being attacked on ROBLOX. I do not do LUA code myself but I do code off-site.
Hopefully this helps.

ROBLOX only gives you access to the LUA client which means you cannot actually patch DDoS, you cannot control the outside data coming into your ROBLOX servers however.

(No it is not an FE crash or a bug in your code it is a genuine DDoS attack as ROBLOX games use Servers, it is not manipulation of remotes it is a genuine DDOS attack.)

An account has to actually get the IP of your ROBLOX server, these can be found in the local logs, this is where our defence will lie, stopping them from getting your servers IP.
Once a server has joined and has your server IP there is nothing you can do, that server is subject to DDoS which means,

HOW DO THEY RETRIEVE THE LOGS?

The second method is to go to your windows search bar and type in %appdata%, this will bring you to your roaming folder so at the top, click on where it says “appdata”, click on “local”, scroll down to find “ROBLOX”, click on “logs”, you are now in the logs for each roblox game you have joined. You might want to sort by date so that you can see the most recent by clicking the “date modified” button, there should be an arrow pointing downwards, open up the most recent log.

Once you are in the log ignore the left side of the file, this is mainly the date etc. Scroll down to the bottom of the log to find the IP. Will look something like this

2021-04-17T04:40:46.681Z,5.681171,18dc,7 [FLog::Network] Replicator created for player 127.0.0.1 53405
The first number is the IP, the second is the port. If the game has a lobby, the first IP/PORT in your log will be the Lobby. The second will be the actual game (provided you have joined it).

Example?

Lets say you have an account joining your game that is being used to grab the IP for DDOS attacks, you ban it and it rejoins, the account though banned will still connect to the
server, they are just simply banned, the way to prevent this is through a lobby game, this way if you ban an account at the lobby and it attempts to rejoin, it will be stopped
at the lobby game, additionally if they spam click a server to join it in the lobby game (Though banned) it may take some time for the admin script to realise the user is banned,
your fix for this is putting a 3 second wait time on people being able to click connect onto a server.
Many people use automated bots that grab game IPs, it uses the cookie of an account to send a join request to ROBLOX, it does not actually join the game, this means that a joinlogs
script would not be effective in stopping it (Which is why you will need a lobby game), with a lobby game in the way, all clients must manually connect.

However, lets say you have your lobby game setup, you are being DDOSED, you will need to rely off your staff team to find the accounts that is being used to DDOS, this is usually done
through Joinlogs on an admin script, trial and error, you see a user frequently joining servers then leaving or a user who is ingame that you don’t recognise/trust every single time
you are being DDoSed, this is usually the account you need to ban at your lobby game.

If you have a lobby game something very advised is a script that will kick/ban users with newly created accounts (Around three months usually), this will make the attackers limited
in their supply of alternate accounts, eventually they will run out of them.

The best defence against DDOS is a staff team who can mark each account that joined using a join logs script, investigating each and every indivdual account. However without a lobby
game this is all futile. Another thing that can be done is if a server is being attacked and user pings spike to X amount (very high), you can teleport them all back to the lobby

This is also the main way used in their bots that they create.

There is also another way with a script executor that gets them the IP address, not sure if they get the port. I don’t have the code to that.