Recently a game that I have been Head Developer for has been getting ddos attacks, where the player checks the IP of the server using ctrl+shift+f3 to view it and then they crash it with a botnet. This is very harmful to the game as it has created a duplication glitch due to it (if you didn’t know botnets lag a whole server). I was wondering if there was a way to turn off Network Connection Health tab.
A solution I have already tried is kicking the player once they use any of the keys in a combination
Code is pretty self explanatory, when the key is down the variable is set to true. It’s changed using inputbegan & inputended.
if (controldown and shiftdown and f_3_down) or (shiftdown and controldown) or (controldown and f_3_down) then
players.LocalPlayer:Kick();
end
This code was not fast enough to combat the Network Connection Health appearing and showing the IP though.
We’ve contacted Roblox for protected servers but they just gave us a random message back asking for what browser we use & some random other stuff which is really strange because that is really unrelated… lol
Players look at this to see the IP of the server and then enter it into their program and crash the server.
If you have any guidance on what I can do, anything helps.
I’m sorry this is happening to you. DDoS is such a waste of everyone’s time and purely a mean thing to do.
I don’t think you can disable ctrl+shift+f3, and even if you can, it’s fairly easy to find the IP from other sources. Someone who knows how to launch a botnet attack will most likely find a workaround, even more eager to continue disturbing the game.
DoS and DDoS attacks are such a problem that they raised a lot of steam in the community. One of the pretty informative threads is this one:
I definitely hope Roblox quickly installs more protected servers. Until then, I don’t see a lot of options.
You could technically limit access to verified users (problem: affecting player base). You could kick players and reroute them to protected servers (problem: possiblly worse connection; people driven away because of the kick). There are also some not particularly reliable methods to detect alts based on timezone stamps. And you can restrict minimal account age (problem: affects player base, obviously not completely effective).
I would start by preventing duplication because of race conditions and so on, by utilizing session locking (look ProfileService as a thoroughly tested example) and cooldowns/debounces/rate limitters in game.
Even if the DDoS is launched, the foremost important thing is to prevent anything that would represent a gain for attackers other than lag.
I agree with you, people have better things to do than DDOS a game purely looking for something they can abuse. This has happened to me before but has never been a cause of concern, until today where they found a way to abuse it by duping in-between the time the server has lagged.
I can understand that Roblox may have a tight budget for how much protected servers they can put up due to cost saving measures because of the price of everything. But, what I can’t imagine is why would they make the IP viewable in the first place, for anyone to see? I understand the Network Connection Health tab isn’t the only place to find it.
In my case, it’s my Trading System they abuse. They send a trade, accept it and then boot the server offline. Then they join a different server, and their data should still be there (what they sent) and the player they traded should have the value.
So annoying. I’m questioning what would happen if Roblox actually managed to find the DDoS-er and start legal action lol. Considering we’re technically talking about a felony.
Idk why IP is viewable. It’s a useful info, but makes abuse easier. Although players will unavoidably know at least one IP address (in the chain, if there was one) in order to connect.
And yes, I really suggest session locking. It was born from the problem that communication with data storages has certain rate limits, so with thoughtful dropping of the items, quick leaving and rejoining between saves, they could manage to exploit the race condition for duplication.
So the idea is to lock the session to the current server and keep track of the JobId of the server that is currently handling the data, having other servers not touch the data until session is released. Which effectively prevents data store communication conflicts between different servers.
In a similar fashion you can most likely battle the lag exploits. Timestamps, cooldown come in play as well.
There is no single person or even group doing this, the strategy involved in taking down the server is easy enough that many people have developed their own software, commencing legal action on each individual would be impossible.
Honestly, I don’t know why anyone would commit a felony just to get some extra virtual currency. Thank you for elaborating on session locking as I wasn’t too sure on how it worked at first. I will definitely implement it. Also, I have already a randomized timer in-between giving the players the items from the trade but this does nothing to help prevent the dupe from happening.
Yeah, in this case I knew that making Network Connection Health unviewable would not be a great option as other methods are available to find the IP. My aim was just to add an extra level of protection against DDOSing so maybe it could stop the less knowledgeable people doing it.
Yeah, I know, other sources. Sadly I’m now thinking it wouldn’t stop the skiddies either because someone would make a tutorial on alternative IP viewers.
Let’s hope Roblox makes the job harder with even more UDMUX servers. And maybe raise the electricity bills of the attackers that way
