Well, this is more of a security flaw but I don’t access to post in bug reports id guess I can educate you. In few lines of code you can read full servers info . All that is great and all but when you are in studio and in playtest, server is set to your router IP meaning when you read server’s info it will be your info there. With just few lines of code you can easily pass that info to “Discord” Webhook like this
This can be easily sneaked in when buying products from other developers, where you must enable HTTPS service in order for whitelist to work.
Again if this is not a bug and if I’m in wrong category let me know!
Could you maybe show some of the code that way I could make a auto detector which would remove it from any scripts that are in my game and so I know what to look out for?
This shouldn’t be happening but getting someone’s IP is quite useless, people act like its the most sensitive data someone could get their hands on when in reality it barely shows any sensitive/harmful info about you
IP loggers aren’t as big of a deal as people make them out to be. They can only be used to approximate your ISP’s service area. They do not have any correlation to individual addresses and can only reliably determine which country someone lives in, which you can do legally on Roblox. Most ISPs will provide dynamic IP addresses that change every few days anyways (especially v2 addresses), so it’s not even like you’re able to ‘assign’ or map IP addresses to players - they will change regardless.
You can’t even DDOS a normal residential IP because port forwarding will be disabled, and the firewall will block all incoming connections. You only really want to worry about protecting your IP if you’re running an open server without a proxy where you’re able to be attacked.
This is kinda obvious for experienced scripters so it’s usually not an issue. That’s why we’re very careful when updating plugins and tend to read their source code.
In general, when testing things in studio, the simulation is a fake server(not a real Roblox one) that in reality is your own PC. So when you make HTTP requests in studio, what the websites you’re requesting see are your own PC statistics, like your IP, network info, etc.
PS: This can also happen from models during a studio test, that’s why it’s a good practice to have HttpService disabled(which it is by default) unless you need it and know what you’re doing.
It depends on what you mean. On residential modems, unless port forwarding is enabled, the modem will reject all incoming connections at the firewall. Theoretically it’s possible to send so many requests that the firewall fails, though normally you’d only be worried about attacks targeting your server, not the firewall itself as those are designed to handle extremely large amounts of traffic/second. Either way, DDoSing a home network does not benefit the attacker in any way unless there’s a server there. All you’d do is possibly slow down the internet for a couple seconds.
A VPN will not protect you from DDoS attacks even if you’re running a server (which allows incoming connections) and using the VPN as a reverse proxy. Unlike reverse proxy services like Cloudflare which are designed to mitigate DDoS attacks, all using a VPN will do is send the traffic to another server before bouncing it back to your server.
If you mean always use a VPN to obfuscate your real IP, again, unless you’re running an actual server which people have a reason to DDoS, it’s overkill. No one will attempt to DDoS a random person’s home internet, and if they do, the impact will be minimal unless you’re port-forwarding traffic to your computer. If you are running a server, just use something like Cloudflare as a reverse proxy - it will hide your origin’s IP and mitigate DDoS attacks.
Yes it will lol, the server hosting the VPN will take the hit instead unless the VPN has it specifically programmed to DDOS you (the user) as soon as it detects a DDOS attack, which literally makes no sense.
yes
yes, but again it will defend you from a DDOS attack, because by your logic either: the VPN will send all the DDOS traffic to you themselves therefore DDOSing you, or it will reroute all the traffic directly to your IP defeating the purpose of even hiding your IP.
All new modems have port forwarding disabled by default. If there are no ports open, the traffic doesn’t have anywhere to go!
What do you mean by VPN? Obviously if you’re hidden under a VPN’s IP when browsing then you won’t be able to be DDoSed. But as I mentioned hiding your IP on a residential network purely for DDoS protection is overkill, and will only end up slowing down the internet speeds you pay for. But if you’re using a virtual network as a reverse proxy for a server (where the traffic is bounced from another server back to your computer), all you’re doing is getting yourself DDoSed by the proxy instead of the attacker.
Unless you’re someone important or you run a server, no one will try DDoS your internet. That’s just fear-mongering. People have to spend money for botnets, and using that money on random people they don’t know is not something anyone would do. This is similar to when people scare kids into thinking someone has drugged their Halloween candy - no one is wasting their expensive drugs just to get a random kid sick.
I don’t know what you mean. Obviously, if your IP isn’t known by anyone you can’t be DDoSed. But my entire point was that using a VPN to achieve this is ridiculously overkill and you’ll end up having to pay for a VPN + lose out on fast internet speeds.
yes, port forwarding is disabled by default, but that’s not what I was talking about, you were talking about the modem rejecting incoming connections, that’s a completely separate thing than having a port open, you can still get sent packets even if you don’t have a port open.
untrue, if you download something, you are actively being sent traffic. the download IS traffic.
for this router, you only have the “High” and “Low” options which doesn’t really tell you much but basically the higher the firewall level is, the less types of packets you can receive. (I can’t really tell you which ones are blocked lol since it doesn’t specify but some routers will tell you which packets will get blocked)
you don’t always have to, if you’re knowledgeable enough you can make your own.
but in this case, a botnet doesn’t run out, I know a guy who just ddoses random ips just for fun (spoiler alert, it’s not that fun, it’s as easy as opening putty to connect to your botnet and then seeing a “Request timed out” on the cmd window where you’re pinging the ip)
I get your point lol, yeah using a VPN is overkill because you can just restart your router for a new ip if you have a dynamic ip, even people claiming they use a VPN for privacy is overkill because they then end up using a VPN that logs everything much like their ISP does, that’s why mullvad is the only VPN that gives you true privacy. if you’re not using mullvad then you’re just giving your data to someone else that isn’t your ISP
Yes, you can be DDoSed without ports, but if there are no ports open, your modem is essentially acting as the firewall. Because the traffic can’t go anywhere, it just ends up being blocked by the modem. Too many of these requests could overwhelm your modem but all it will do is slow down your Internet since the traffic isn’t actually “clogging” any ports. The actual firewall is useful if you are port-forwarding since it will artificially clog up ports by lowering the amount of traffic they can handle.
Yeah, VPNs that hide your IP will protect you from DDoS attacks because no one will know your IP. It’s just unnecessary.
You can make your own DDoS systems but most attackers choose not to because they end up costing more. Running your own high-traffic servers that are capable of outputting gigabytes (or even terabytes) a second, along with paying for high-performance Internet, will end up running you a lot of money. The majority of DDoS attacks are done by paying for massive botnets, often set up in poorer countries, which take advantage of low-security devices. Both options cost money and no one will use that money on random Roblox players.
No, a botnet doesn’t run out, but you have to keep paying for it. If you’re doing it with your own servers then you have to continue paying for the hardware, the internet, and the electricity. Nothing is free so there’s no reason anyone would use money like this.
Just saying you really have to try to get your IP logged or even get it traced to you . I would also rather not have terrible ping to ‘protect’ my ip with an inefficient method …
DDOS? bro od people be using DDOSing players to their advantage especially when the people are of high stature in certain games that are worth real money. getting ur ip leaked isnt good what so ever when it gets in the wrong hands.
. All that is great and all but when you are in studio and in playtest, server is set to your router IP meaning when you read server’s info it will be your info there. With just few lines of code you can easily pass that info to “Discord” Webhook like this
