I definitely agree there. They should offer more control for general PC specs, and maybe with packet sending rates, but just not control of the packets contents. I should’ve been more specific. The data in the packets is where vulnerabilities lie and that stuff shouldn’t be easily exposed.
But even if ROBLOX added HWID or CPU checks that could cut down on a bunch of these exploiters.
Also with Unity, Unreal and GameMaker this is all stand-alone game creation software. It would make sense that you have control of the servers since you’re in charge of hosting and setting it up. But that’s one of the (imo good) things that sets ROBLOX apart from other software.
I actually received the same identical information you said you received above. A lobby system greatly reduces your vulnerabilities and allows you to actually ban the accounts that do it (so they won’t be able to make it to the real game). They can use the join request (with a bot) to the game without joining with a real player the normal way, but if they do that and you have a lobby, they won’t be able to progress to the real servers populated with players if you design your lobby robust enough. The main issue with the lobby would be that you will still get the occasionally alt that slips through (as the information we both received also states), so to mitigate this specific problem, you would have to rely on staff to identify and liquidate the threats. I suggest setting an account age limit to automatically block or even ban obviously newly create accounts to do at least some of the work automatically. These Bakyl family people most definitely have a tremendous cache of older alt accounts to avoid this, so in this case you would have to just ban them manually if you could identify them.
DDoSiing a Roblox game server happens a lot more than you think and while I wouldn’t say it’s easy to do for the average person…
Just about anyone who has relative knowledge has the ability to completely make games unplayable due to constant attacks either for ransom, stifle out the competition., etc.
The “Bakyl” family is known to server/game crash other games for quite a while now. They force people to pay them or just simply ruin their game by server crashing their games until it has no players left. I suggest you make a game hub, add an age-restriction to your game, ban their group, and develop some sort of anticheat which checks for any remoteevent abuse
Following up, I would also like to input that the “Bakyl” family is well-known to DDoS other games and communities for various reasons. This isn’t the first time my community has had to deal with this mess, and although we ourselves weren’t the target of them we’ve had to mediate between their family and groups in our community.
For any practical solutions, a good and already well-suggested feature is a game hub system, other groups have also made a “whitelist” system which makes it so the player has to send a whitelist request in the game lobby to gain access to a whitelisted only server which you then approve or decline, this helps prevent DDoS attacks as only registered players (which would be a core of your trusted player base) and at least allows a certain group of players to continue playing unhindered. Anyone else can join a non-whitelisted server.
There isn’t a way to well “script” (to my knowledge) to stop DDOS attacks on your game, but you most likely have to get creative to protect your game and assets.
Fixing this aside, report them to ROBLOX. Contact the company directly or something as I am sure blackmailing via exploits is against ROBLOX ToS. And blackmail is against the law in most places.
If you wanna go all out, get law enforcement involved as this is a cyber crime.
Maybe plug-ins? I’ve had a problem with a plugin that automatically injects a require script that leads to an obfuscated module script, even if I delete that backdoor when I test play it would automatically inject the script under a descendant again.
Someone with more time and resources than myself should begin a comprehensive blacklist of all members of this DDOS-ing family or others like it. Each username/id should be rigorously checked and verified as an offender and added to an on going list. While they may have dozens, hundreds, or even thousands of accounts. The more public we make this and the more of them we take down the more we create a “Community\Neighborhood Watch” situation that helps pedal back their overall power.
I’m going to mark this as a solution for this following reason:
It has been determined that the best way to deter DDoS attacks for “smaller” game communities such as mine and @Vainvorhayn 's games is by making a “Game Hub” system. From there this prevents them from automatically joining your game via API Bot’s and making their job to grab server IP’s + attack them a lot more difficult.
I’ve spoken with @Vainvorhayn and we will be releasing the current Game Hub he has provided me with, as an open source sometime today. This is to help anybody with these issues in the future, until ROBLOX can find some sort of patch for this huge vulnerability.
Huge shoutout to @Vainvorhayn for helping, I make a good chunk of my income IRL off of ROBLOX; and he honestly helped save a lot of trouble for me. Thankful that people like him exist today, and are so quick to help.
You should note this isn’t a vulnerability and simply is how the internet works, regardless of every single solution you can think of, when connecting to a game, the IP is revealed, therefore there is no ‘actual’ solution to being directly targetted, your best bet is to simply, do as you said, and prevent automatic Ddos’s, however this will of course only be a temporary fix.
Yeah but a HUB system still in itself is kind of not a really good solution. Small groups rely on both their group’s community as well as non-group members activity in the group’s game. If you were to do a HUB system then you’d need to whitelist players to have access to the actual games, and most players just want to play the game–they won’t come back to the game if they have to wait to be whitelisted.
There needs to be a way more permanent fix. Groups are dying from this petty era of ddos-attacks and something must be done before it may be too late.
At this point i think thats actually a violation of federal law.
But heres what i know crash scripts dont crash servers very well unless there made for one game something in your game must have a memory leak i would add a function to kick someone for to much client input.
There’s actually a method out there which doesn’t require a bot of some kind.
The one I am referring to can be ran from a Lua script directly in the client via a (you know what), such as (you know what X).
From what I know, wink wink, it’s actually quite a simple thing to pull off, it just takes some knowledge of how the client can interact with RakNet without having to go via the server in some sense.
As a result of it using something that requires the LocalUserSecurity context level, it’s to a degree, impossible to prevent.
Although RakNet is, and has been since day one, required for Roblox games to be playable from the client, it can also be used against you as a developer, if someone knows what they are doing and can utilize RakNet to abuse the network stack.
I’m outright upset, I’m having trouble understanding Roblox’s motivation towards this lack of a server-anti cheat, as well any networking protection. This company which made just over 920 million dollars in 2020 and is only spending 320 million dollars in expenses should at least be able to provide some sort of protection against a DDOS attack, Its been 13 years since they opened and they have been running this like a corrupt oligarchy, where updates only serve those with a following.
