Maybe you can try to make the server send it’s own IP to your remote server.
Yeah, thats what I’m going to do, but then I need to check if that IP is legit and is actually coming from Roblox.
You may want to check this out:
https://devforum.roblox.com/t/roblox-gameserver-ip-address-range/86669
Roblox rents servers out, this isn’t reliable.
What if instead of checking the IP address, you verify the unique game id which each instance of a place has and gets generated when a session starts?
I found this response in a similar thread.
Here’s an example of a response from this API from a game which (at the time of posting this) has a few sessions running. Each instance of the game is stored in the collections array, each with a unique guid.
This would not be an effective security method - the JobId is visible to the client as well.
All they’d have to do is check your games running JobIds via an easily accessible web API.
The reason the IP method might be slightly more reliable is because specific IP spoofing is far more challenging to do effectively.
It would probably be an easier solution because the client could also easily get the server’s IP address by checking their own network traffic. But you are correct in that spoofing the IP would make the task more difficult.
However, when the data is being passed to the server for authentication, it should also be passed alongside some form of authentication token (time based authentication would be even better) because this means that it doesn’t matter much what data is used (whether it is an IP address or a guid) as it is getting authenticated regardless, similar to how various API services handle API tokens.
Checking the servers IP will be far more secure and reliable. I will also make it so that each server sends an initial request to get a private key. This way each server can only get the private key once.
It wouldn’t really be a solution - it’s far easier to bypass (literally, make an API request) - likewise, what the user is looking for is a way to ensure basic integrity for the sender of requests, which I’m pretty sure would fall out of scope of a TOTP system.
@grilme99 You could probably ask Froast for the API Endpoint (if it hasn’t been deleted). I personally don’t see much merit in this particular form of authentication. Honestly, unless you’re worried about your game being hijacked and someone analysing network traffic, a (long) shared key like @ScriptedForum is suggesting would be apt.
Can you provide more information into your use case / exact requirements? This would help us give you a better answer as we’re all sort of puzzling this one out.
Sure! I’m creating a website that makes creating services on Roblox far easier. I’m currently working on a replacement for third party modules. I want the replacement to provide authentication. Only certain games can use your private script. Verifying the request is from Roblox will mean that the place id that also comes with the request will be real.
Ah right - I can see why you’d like to do this
IP spoofing is possible, although fairly easy to restrict to just the most dedicated hackers - keep this in mind. @Froast do you have any input here?
I’d also like to add on. Spoofing the IP shouldn’t be possible. Every new server will send an initial request as soon as it starts and receives a private key. The private key is required for all requests after that.
This means that if someone were to disguise as the server they wouldn’t be able to send a request because that server has already sent the initial request and the attacker wouldn’t know the private key.
This is actually remarkably smart. However, you’re relying on Roblox updating IPs quick enough - they cache stuff pretty intensely.
Each server will have its own ip and port. That shouldn’t be an issue
Eh? I don’t think you understand my meaning.
If your server starts before Roblox updates its cache, then the initial server request will be declined. It can take a while (sometimes up to 3 mins) for Roblox to update the cache.
That doesn’t make sense. If that were the case then how can clients connect to a new server?
I was tagged on this thread by @wevetments referencing to an old thread I made.
My latest information regarding this topic is here: https://developer.polymatic.co/t/verifying-roblox-server-connections/27/2
As already mentioned in this thread, Roblox rely on third-party hosting companies. The above information is all the AS numbers assigned to all Roblox third-party hosts. You can use public API’s such as https://ipinfo.io to return information for an IP addess and check the AS number.
Edit: To add more information - for anyone who needs it - the Roblox server also sends a “Roblox-Id” header which is the placeId. Just thought I’d also throw that in for anyone who has a use for it. (:
Hopefully this is helpful to someone
I worked out how to do it. I won’t give any source code, but I can explain how it was done.
There is an endpoint for joining a Roblox game (which I won’t give out, find it yourself). If you send a request to that (making sure you are authenticated with a .ROBLOXSECURITY cookie and all your headers setup, see below) you will get a response with not much in it. This bit is a little weird (I’m not sure why it works like this), but if it is a normal player owned place then you must send two requests to the endpoint, and three if it is a group game.
On your second or third request (depending if it is group or player owned), there will be a response with a bit more info. In the response, there will be joinScriptUrl
. Send a GET request to this and you will receive all sorts of juicy info, like the server IP and port.
Using the IP returned from the Roblox API, I am able to compare that to the IP that made the request and then issue a private key.
The method you described for getting a roblox server IP sounds like one for getting a random IP. How are you using that Roblox API to verify the specific IP of an existing game server? Or are you requiring that all new servers be started via this method?
I find this project really interesting and would like to know more, please contact me on
discord; tonumber#0001