I have a fair share of knowledge when it comes to dealing with exploiters but they always come back with alts. This is the one killer move they keep pulling on me. I can ban them, use anti-exploit scripts, but I just can’t seem to stop banning them as they keep coming back. This was a problem in the old days, so I decided to check in to see if new techologies were built that can combat this.
4 Likes
Well of course you will always have to battle their old alt accounts, but if they keep coming back on newer accounts you can make a script that kicks players if their account isn’t forsay 20 days old.
2 Likes
Would that elimate some innocent audience too?
2 Likes
You can try to ban alts and exploiters, but it’s a losing battle. As much as it sucks, you need to audit your own code. You need to think in the perspective of the exploiter: “What can I run on the client that leverages their own code against them?”
Patch up the holes where your local scripts make calls to the server and they’ll have to work harder to try and exploit the game.
2 Likes
Yes it would unfortunately. there is no REAL way to ban all alt accounts.
Should I create a decoy badge that only exploiters can access, therefore banning everyone who obtains the badge?
1 Like
Unfrotanetly there isn’t any (developer) method for you to see if someone is an alt of someone you banned or not. However, if this is a serious problem in your game my best piece of advice would be to separate new players from the rest of the players from your game for some amount of time, so either having an hour long tutorial area, putting new accounts in a separate server for a certain amount of time, or not even banning the exploiters but putting them in their own server so they can exploit each other.
The biggest issue with the first 2 points is weighing the cost (to the player) of not being in the main game for a certain amount of time so they don’t get bored and quit, while also making said time long enough to delay exploiters enough so that they eventually get bored.
2 Likes
In this case, I like to describe the issue as a “surface issue”.
Your surface issue is that you have exploiters obtaining a badge they shouldn’t be able to get (I am assuming this based on the context of the message.) Let’s walk through what happens if you take the approach of a fake badge:
- The exploiter gets the fake badge and is suddenly banned.
- The exploiter immediately knows something is up and goes to check on their alt which badge they were awarded and how they were awarded it.
- They bypass the issue by not awarding themselves it.
Thus, this will not solve the problem. Your root cause here is that the exploiter is able to circumvent your code to award themselves the badge. This is why I mentioned you need to audit your own code.
I know these might seem basic, but ask yourself these questions:
- What is the client allowed to do?
- Is my server script handling the awarding of badges?
- How does my client script request the badge be awarded?
2 Likes
I put all the important stuff in the serverside code, do not trust the client. I get it. The problem is, I can’t beat the exploiter through computing power, some of them use steroid hack clients that cost hundreds of bucks, idk, seen a youtube video on it, I was just looking for some psycological ways to outsmart exploiters. For example, maybe ban anyone who is not touching the floor for more than 6 seconds?
RIP the players that take a few seconds to fall into the void and then the respawn time of 5 seconds.
I made it so that you can’t fall into the void. But that brings up a good point, maybe laggy players will also get sacrificed.
Everyone has issues with exploiters, especially in more serious type games where fair-play is a necessity. It’s not good to work with a ban list since like you say, they can just make alts and figure out how to not get caught next time.
I don’t know what types of exploits you are experiencing (speed hacks, flying, no clip, or one specific to your game) but the way you deal with each one of those depends on your game. If players are naturally moving around pretty quick, you don’t want to regulate speed too harshly; if your game has collisions/players get flung pretty easily, flying is harder to deal with.
I’m just speaking from what I’ve seen; I haven’t released a full-fledged game that tries to battle exploiters so perhaps others with experience can give you an idea for how difficult it would be to deal with this (although I imagine most of the responses are going to be “do server-sided validation”)
You aren’t going to win by playing the psychological game. It’s also easy to think that “well, it’s in a server script, it’s safe!” That is not necessarily the case. If they can get from the client to the server from any one of your scripts, it’s game over and they can do whatever they want.
Please trust me when I say that you need to take a very close look at your scripts. Are you making sure that:
- The client only sends a request of “can I have X?”
- The server validates every possible input to X
- That the inputs to X cannot be manipulated in a malicious manner through other scripts
- The server never sends anything to the client other than what is absolutely necessary, and no more?
From the looks of your reply post though, you seem to be dealing with Humanoids, which are a pain to deal with because they replicate across the client/server boundary willingly. If that’s the case, you’ll need to do some sort of positional validation on the server. You can’t rely on bricks as a client can delete those–you’ll want to think about Region3s where people can’t normally go.
I know there has been a long going war between devs and exploiters, and just like the cold war, each side keeps on upgrading. I’ve elimated many exploiters, who probably saw something on youtube, but there are some serious hackers out there. I know they know what to do, so I am seeking a different approach in trying to stop them.
Say the exploiter makes a purchase from client to server:
- The client wants XYZ.
- The server receives the update and validates XYZ for the amount ABC.
- If the condition is met, XYZ is granted. (serverside)
In this simple example, will this be the right thing to do?
Seeing as there is no way to prevent alt accounts except using the IPs which isn’t a good idea. The only way as @Sharkyia said was accounts for example over 20 days. With that said banning users and they keep coming back really can’t be controlled by the Devs. When that sort of stuff occurs like using IP bans by the Devs they get banned. Your best option in my opinion is try and use / make an anti cheat so it at least makes it harder.
1 Like
I think that it’s against Roblox Terms of Service to limit the users that enter to your game by kicking them due to their account age. Bloxton Hotels (1M+) made an announcement talking about why they don’t limit it, and one of the principal reasons was because Roblox itself don’t allow that as wrote in Terms of Service.
Note: maybe I’m saying something totally wrong, pardon me if I am saying something dumb!
I just searched terms of use / service and found nothing against it, but maybe I overlooked it or something. not sure.
You can’t prevent alts so trying to deal with them isn’t realistically a good thing to do. Try to stop what they are doing in the first place with their alts from there.
You’re seriously at a disadvantage if they’re doing something game breaking easily so go for fixing things that are significant that they could do again with an alt.
You should ask the creator of lets party gear testing(made by foxbin) how does he prevent alts. His script doesn’t only look at the age of account, actually finds alts cuz i tested my alts on it and only my main was able to play
Edit: also if i remember correctly, when someone gets banned from the game for cheating a webhook is fired with their “hashed ip”