How to start with anti-cheat?

Ok so i know this has been asked a lot, and i did do my research but to be honest i feel like the more research i do the more lost i get, even if i find something its either old (using deprecated methods) or half if not most of the comments are arguing about things i have no idea what they mean lol and most of them say you shouldn’t do this while others say you should so it gets overwhelming and i end up not knowing where to start.

So what i want to know is

  • What are the most important general anti-cheats that need to be added?
  • What are handshakes and how do i add that?
  • Any other important ones that i need to know about?

I know every game is different so all anti-cheats will be different, but I’m generalizing here to get the full picture. So things like magnitude checks that’s not hard to add its just the more research the more you find things that can be exploited, and a lot of people wont say them here or how to deal with them so it doesnt get leaked or something.

Thanks, sorry if this question is repetitive :slight_smile:

1 Like

Yeah when it comes to this topic people tend to put their feelings over truth. I used Synapse X since 2017. I have all the answers for you.

None. Performance , Quality, and Design wins. But if you need any at all… refine it down to server sided checks that do NOT rely on remote events. If your game’s objective is to race to the finish line… if the lowest time to complete the race is 2 seconds… than anything faster than 2 seconds should cause the client to be kicked or their rewards and ranking from the race forfeited. Anything else is just rubbish(handshakes not needed as they are bypassable by exploiter listening to client event and disabling it and then creating their own to exploit the game) and this is a rabbit hole that you will not win. Exploiters have the upper hand. PC exploits came back to life in the recent months. Good luck!

1 Like

Sanity checks are super important.

Handshakes is basically the client communicating with the server that something still exists, encrypting the traffic can make it more difficult for exploiters (like using chacha20 or similar) to do stuff but this is also bypassable.

Generally anticheats have to be good, in terms of performance and not falsely detecting people, if somebody gets to the end/checkpoint of a game in a very fast time that is impossible, kick, erase data or ban the player.

You could make client anticheats however that is completely bypassable, you can make it detect noob exploiters tho. You can make it slightly harder for noob exploiters via putting a localscript in replicatedfirst inside of an actor instance then hiding it from the environment and setting the localscript and actor to nil but if the exploit runs before replicatedfirst, they can prevent this via preventing it from running or using run_on_actor so generally secure the server.

2 Likes

Thanks, i think it makes sense what u said cuz honestly even AAA games suffer from it, in my opinion i feel like its exactly the way u said it, you can never win against them and i might be just over complicating it from the stuff i saw lol. Thanks though i will just do my best to make the quality and design it well.

1 Like

1000% and I feel a lot of empathy for you because I’ve been in the same boat and I’ve been down this rabbit hole many times. There’s really funny ways you can ruin the exploiter’s life and if ever your game becomes famous I recommend looking into how to completely force the game’s movement, humanoid properties(WalkSpeed, JumpPower, Etc.) and physics to be on the server. It will eat your performance and convert your game to a laggy version of it but it will serve as a punishment for the existence of exploiters and once it subsides you could just swap back to your original version. It’s a genius move really and there’s hardly any stress or time wasting involved because the scripts themselves are easy to make just that they will definitely generate lag. Chickynoid is a good example of this. Check it out here: Chickynoid, server authoritative character replacement

1 Like

Cheats are mostly applied from the client to the server. For this to work, you’ll need to disable LoadStringEnabled in the ServerScriptService and HTTP requests.