Game crashing, blackmailed by "exploiters"

Well, with due respect, I just cannot agree that other engines don’t offer up packet control. In fact, Roblox is one of the very few platforms I’ve encountered that doesn’t expose socket creation/control at some level. This is coming from 15+ years of game development across multiple smaller engines as a hobbyist and 12 years under various consumer facing companies both minor and major. (Though admittedly, the latter is hardly applicable here.) The big current “free” engines being Unity, Unreal, and GameMaker all offer some form of socket management. Heck even RPGMaker has enough plugin support to hookup to node.js/socket.io.

BUT I will relent that they also don’t exist as the same form of “community of creators” that Roblox does. So in that sense, I do agree letting a bunch of children grab the reigns of the socket layer would no doubt be chaotic, as you put it. There’s no argument from me there. Especially with how Roblox operates taking a sort of pseudo-publisher stance and taking the brunt of the responsibility for the games their user’s create, it probably isn’t wise for them on a number of levels to do this.

But DDOS attacks can be and are dealt with on a daily basis by thousands of companies world wide and it’s certainly not by banning each IP that causes the issue. If this weren’t the case then all of the large tech companies wouldn’t stand a chance. Don’t get me wrong, scaling up the bottleneck helps, but it’s definitely not the only solution to the problem. You can take a look at several discussions on DDOS solutions with a simple google search so I won’t derail the thread into the in and outs of how or why.

(I guess I should also clarify that there is no STOPPING a DDOS attack. They’ve been around since the darkages of the internet and are still around for a reason, they work. But that doesn’t mean there’s nothing that can be done for prevention, damage control, and retaliation.)

I just definitely can’t see eye to eye with many of these statements, especially saying that offering more control will make network hacking worse. How would putting more tools in the hands of the developers making the exploited software make things worse? They’re already being exploited? If the best defense people have right now is trying to HIDE an IP address, then I think that’s about exactly as much defense as trying to hide your home address from a potential stalker/threat. It would be nice if we could at least set up some fences and cctv’s around the perimeter…

I’ve done plenty of research since this has become an issue, only to discover that even a “hub” system can still be vulnerable. There is still another way of manually fetching the IP without just the casual API bot allegedly.

This was forwarded to me from one of my staff members who is actively communicating with one of the previous head-guys behind this operation:

I thought i’d make this as I see a lot of misinformation regarding games being attacked on ROBLOX. I do not do LUA code myself but I do code off-site.
Hopefully this helps.

ROBLOX only gives you access to the LUA client which means you cannot actually patch DDoS, you cannot control the outside data coming into your ROBLOX servers however.

(No it is not an FE crash or a bug in your code it is a genuine DDoS attack as ROBLOX games use Servers, it is not manipulation of remotes it is a genuine DDOS attack.)

An account has to actually get the IP of your ROBLOX server, these can be found in the local logs, this is where our defence will lie, stopping them from getting your servers IP.
Once a server has joined and has your server IP there is nothing you can do, that server is subject to DDoS which means,

HOW DO THEY RETRIEVE THE LOGS?

The second method is to go to your windows search bar and type in %appdata%, this will bring you to your roaming folder so at the top, click on where it says “appdata”, click on “local”, scroll down to find “ROBLOX”, click on “logs”, you are now in the logs for each roblox game you have joined. You might want to sort by date so that you can see the most recent by clicking the “date modified” button, there should be an arrow pointing downwards, open up the most recent log.

Once you are in the log ignore the left side of the file, this is mainly the date etc. Scroll down to the bottom of the log to find the IP. Will look something like this

2021-04-17T04:40:46.681Z,5.681171,18dc,7 [FLog::Network] Replicator created for player 127.0.0.1 53405
The first number is the IP, the second is the port. If the game has a lobby, the first IP/PORT in your log will be the Lobby. The second will be the actual game (provided you have joined it).

Example?

Lets say you have an account joining your game that is being used to grab the IP for DDOS attacks, you ban it and it rejoins, the account though banned will still connect to the
server, they are just simply banned, the way to prevent this is through a lobby game, this way if you ban an account at the lobby and it attempts to rejoin, it will be stopped
at the lobby game, additionally if they spam click a server to join it in the lobby game (Though banned) it may take some time for the admin script to realise the user is banned,
your fix for this is putting a 3 second wait time on people being able to click connect onto a server.
Many people use automated bots that grab game IPs, it uses the cookie of an account to send a join request to ROBLOX, it does not actually join the game, this means that a joinlogs
script would not be effective in stopping it (Which is why you will need a lobby game), with a lobby game in the way, all clients must manually connect.

However, lets say you have your lobby game setup, you are being DDOSED, you will need to rely off your staff team to find the accounts that is being used to DDOS, this is usually done
through Joinlogs on an admin script, trial and error, you see a user frequently joining servers then leaving or a user who is ingame that you don’t recognise/trust every single time
you are being DDoSed, this is usually the account you need to ban at your lobby game.

If you have a lobby game something very advised is a script that will kick/ban users with newly created accounts (Around three months usually), this will make the attackers limited
in their supply of alternate accounts, eventually they will run out of them.

The best defence against DDOS is a staff team who can mark each account that joined using a join logs script, investigating each and every indivdual account. However without a lobby
game this is all futile. Another thing that can be done is if a server is being attacked and user pings spike to X amount (very high), you can teleport them all back to the lobby

This is also the main way used in their bots that they create.

There is also another way with a script executor that gets them the IP address, not sure if they get the port. I don’t have the code to that.

I definitely agree there. They should offer more control for general PC specs, and maybe with packet sending rates, but just not control of the packets contents. I should’ve been more specific. The data in the packets is where vulnerabilities lie and that stuff shouldn’t be easily exposed.

But even if ROBLOX added HWID or CPU checks that could cut down on a bunch of these exploiters.

Also with Unity, Unreal and GameMaker this is all stand-alone game creation software. It would make sense that you have control of the servers since you’re in charge of hosting and setting it up. But that’s one of the (imo good) things that sets ROBLOX apart from other software.

I actually received the same identical information you said you received above. A lobby system greatly reduces your vulnerabilities and allows you to actually ban the accounts that do it (so they won’t be able to make it to the real game). They can use the join request (with a bot) to the game without joining with a real player the normal way, but if they do that and you have a lobby, they won’t be able to progress to the real servers populated with players if you design your lobby robust enough. The main issue with the lobby would be that you will still get the occasionally alt that slips through (as the information we both received also states), so to mitigate this specific problem, you would have to rely on staff to identify and liquidate the threats. I suggest setting an account age limit to automatically block or even ban obviously newly create accounts to do at least some of the work automatically. These Bakyl family people most definitely have a tremendous cache of older alt accounts to avoid this, so in this case you would have to just ban them manually if you could identify them.

That and the pre-established pod of whales…

DDoSiing a Roblox game server happens a lot more than you think and while I wouldn’t say it’s easy to do for the average person…

Just about anyone who has relative knowledge has the ability to completely make games unplayable due to constant attacks either for ransom, stifle out the competition., etc.

The “Bakyl” family is known to server/game crash other games for quite a while now. They force people to pay them or just simply ruin their game by server crashing their games until it has no players left. I suggest you make a game hub, add an age-restriction to your game, ban their group, and develop some sort of anticheat which checks for any remoteevent abuse

Following up, I would also like to input that the “Bakyl” family is well-known to DDoS other games and communities for various reasons. This isn’t the first time my community has had to deal with this mess, and although we ourselves weren’t the target of them we’ve had to mediate between their family and groups in our community.

For any practical solutions, a good and already well-suggested feature is a game hub system, other groups have also made a “whitelist” system which makes it so the player has to send a whitelist request in the game lobby to gain access to a whitelisted only server which you then approve or decline, this helps prevent DDoS attacks as only registered players (which would be a core of your trusted player base) and at least allows a certain group of players to continue playing unhindered. Anyone else can join a non-whitelisted server.

There isn’t a way to well “script” (to my knowledge) to stop DDOS attacks on your game, but you most likely have to get creative to protect your game and assets.

Fixing this aside, report them to ROBLOX. Contact the company directly or something as I am sure blackmailing via exploits is against ROBLOX ToS. And blackmail is against the law in most places.
If you wanna go all out, get law enforcement involved as this is a cyber crime.

Roblox won’t do anything if the threats are made over off-site platforms like Discord.

Seriously? How come? Cause Discord IS a valid social link that ROBLOX allows, so I feel they should do something about this.

Maybe plug-ins? I’ve had a problem with a plugin that automatically injects a require script that leads to an obfuscated module script, even if I delete that backdoor when I test play it would automatically inject the script under a descendant again.

It’s not a back door, they are using a Method that disconnects the players.

Someone with more time and resources than myself should begin a comprehensive blacklist of all members of this DDOS-ing family or others like it. Each username/id should be rigorously checked and verified as an offender and added to an on going list. While they may have dozens, hundreds, or even thousands of accounts. The more public we make this and the more of them we take down the more we create a “Community\Neighborhood Watch” situation that helps pedal back their overall power.

Reached out to you on discord, hope the HUB helps. Hopefully, it will solve the issue that you currently are having.

I’m going to mark this as a solution for this following reason:

It has been determined that the best way to deter DDoS attacks for “smaller” game communities such as mine and @Vainvorhayn 's games is by making a “Game Hub” system. From there this prevents them from automatically joining your game via API Bot’s and making their job to grab server IP’s + attack them a lot more difficult.

I’ve spoken with @Vainvorhayn and we will be releasing the current Game Hub he has provided me with, as an open source sometime today. This is to help anybody with these issues in the future, until ROBLOX can find some sort of patch for this huge vulnerability.

Huge shoutout to @Vainvorhayn for helping, I make a good chunk of my income IRL off of ROBLOX; and he honestly helped save a lot of trouble for me. Thankful that people like him exist today, and are so quick to help.

You should note this isn’t a vulnerability and simply is how the internet works, regardless of every single solution you can think of, when connecting to a game, the IP is revealed, therefore there is no ‘actual’ solution to being directly targetted, your best bet is to simply, do as you said, and prevent automatic Ddos’s, however this will of course only be a temporary fix.

Yeah but a HUB system still in itself is kind of not a really good solution. Small groups rely on both their group’s community as well as non-group members activity in the group’s game. If you were to do a HUB system then you’d need to whitelist players to have access to the actual games, and most players just want to play the game–they won’t come back to the game if they have to wait to be whitelisted.

There needs to be a way more permanent fix. Groups are dying from this petty era of ddos-attacks and something must be done before it may be too late.

At this point i think thats actually a violation of federal law.

But heres what i know crash scripts dont crash servers very well unless there made for one game something in your game must have a memory leak i would add a function to kick someone for to much client input.