How to stop exploiters from spamming remote events?

so I have some ability’s I have made and they all use remote Events
and I’m aware that exploiters can spam them I’ve looked on the dev forum but I don’t really understand and I just started scripting a month ago so this is new to me.
Help would be much apricated!

4 Likes

make a system that uses disables scripts, for example in a script instead of firing a remote event make it clone a disabled script that has the function needed and then enable it, once the job is done make the script delete itself.

1 Like

For a simple prevent spam method you can use a server side remote flood check or rate limiter.

1 Like

I mean if you can, adding cooldowns in the server script might be helpful. (I’m assuming that the remote event is client to server, if not let me know!)

Doing something like

local db = {}

Event.OnServerEvent:Connect(function(player)
if table.find(db, player.Name) == nil then
table.insert(db, player.Name)
task.wait(5)
table.remove(db, table.find(db, player.Name) )
       end
end)

Makes it so it can’t be fired for 5 seconds again. (I wrote this script on mobile, so it might not be entirely correct, but the concept is hopefully correct)

tbh bet both the rate limiter is the most securised one i know .

While it’s true it’s possible that an exploiter can do that, the chances are very low, super low, for someone to join you game and do that. If that doesn’t reassure you then I suggest you to only create the remote event for its intended purpose then delete it right after so there is no remote event for an exploiter to spam and use.

1 Like

I don’t think using scripts and playing with the disabled property is a good idea, you can either do like @OfficialPogCat said with a debounce or just check in the server if the player is actually meant to fire the remote

Clean version in my opinion, however it drops every request, even if function wasnt executed.

local db = {}
local debounce = 2
Event.OnServerEvent:Connect(function(plr)
    if table.find(db, plr) then
        return
    end
    table.insert(db, plr)
    task.delay(debounce, function()
        table.remove(db, table.find(db, plr))
    end)
end

I still prefer creating tick based debounce systems for each project.

This is the best way and what I personally use, but I recommend os.clock() over task.delay()

local db = {}
local debounce = 2
Event.OnServerEvent:Connect(function(plr)
    if os.clock() - (db[plr] or 0) < debounce then
        return
    end
    db[plr] = os.clock()
    -- Your code here
end

Since this is all server-side, there’s no way an exploiter can bypass this.
Also you misspelled OnServerEvent as OnServiceEvent and you forgot to table.insert the player into db so it would actually work.

6 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.