It is possible, to PERMANENT IP BAN someone from a roblox games? How this can be used? Is this illegal? I want to make anti cheats that can IP BAN the cheater from the game, preventing him to use alts, it is hard to detect alts because there is tons of alts in roblox and not all are “new accounts” there are alts from every year. If this is legal, i can do it? How?
8 Likes
Pretty sure it’s not possible.
And even if it was, I am pretty sure it wouldn’t be allowed.
7 Likes
As far as I know, the Roblox Player Client does not share the IP to the game, since it is Personally Identifiable Information. Handling IPs is something pretty hard and special, since it can even reveal the home address of someone. Roblox can’t give them out randomly to developers and it shouldn’t. So, you can’t IP ban anybody.
18 Likes
IP is PII and therefor will never be trusted in the hands of your average developer, the best you can do is ban user by a account.
6 Likes
This won’t allow newer users to play the game, while it doesn’t prevent bad actors from doing anything.
2 Likes
I would strongly advise any developer against taking this measure, if a new user plays your game first then you have the lowest bar in terms of the users expectations, and they could be a loyal player of your game for a very long time, in contrast kicking them will make them instantly dislike your game and never return.
There are also scenarios like someone creating an account to join a friend and are unable to join, so they both play a different game.
3 Likes
This question gets asked a lot, and the answer is always “no.” Why? On the surface, it seems like IP banning is a great way to stop exploiters, but it’s actually not that great.
For one, exploiters need only get a different IP address to get back into your game and wreak havoc. It’s actually pretty easy to do that. You can read all the various ways one can change their IP address here: https://www.allconnect.com/blog/how-to-change-your-ip-address
The second reason IP banning is bad is because it’s a bandaid solution. People can still cheat; all they need to do is not get caught, which is more likely to happen as your game’s playerbase increases. You just can’t manually keep track of and ban every cheater in your game.
The true solution to your problem is to implement better server-side security so as to make cheating impossible to begin with. There is a plethora of resources on the good old Interwebs for how to achieve better server-side security. I’d recommend searching for “sanity checks” to get started.
Hopefully, you now have some ideas about how to keep your game safe. Good luck!
17 Likes
It may be possible though I do believe it violates terms of service according another post I saw (If I see it I’ll send a link.)
No. There was something similar to this that used a hidden property within UserSettings() which could give players a specific ID, meaning that if someone were to be banned, any potential alts would be banned unless they got a new computer / reinstalled roblox entirely. This method was adopted by Phantom Forces, but I assume it was quickly patched / removed afterwards.
Exposing developers to other player’s IPs is a stupid idea. It’s not a matter of legality, it’s a matter of coherency.
2 Likes
I think the reason for it not being allowed is less about it being PII and just more that letting developers read a players IP is a monumentally stupid idea. While you can’t really do that much with an IP, the things you can do are a good enough reason to not give developers a client’s IP.
Then again, implementing IP banning doesn’t mean you’d give the developer access to the IP. Still, though, IP banning is absolutely, 100%, useless. IPs can change on a bi-daily basis normally and can be changed almost instantly, should you need to change it.
Not only that, but implementing IP banning would prevent people in the same household, or people sharing devices, to play your game (if one person is banned). That isn’t good UX.
A better form of banning is using a hash of the user’s hardware ID (HWID) and identifying them via that. Still, though, this comes with the flaw of preventing users sharing devices from playing the game. Not only that, but it would be pretty easy for exploits to just report a fake HWID every time the Roblox client starts so that it’s impossible to identify and ban you via it.
1 Like
There are tons of alts that are older than 3 days, or second accounts
This is against the terms of use and can get your game banned, on top of that it’s just a bad user experience.
1 Like
You would need to dig in to the privacy policy to get an absoluate answer for this.
I don’t think that roblox shares the IP of the players to any games server, therefor it’s not possible to IP ban anyone.
Now that I’m thinking of it, Roblox could possibly introduce a way for developers to identify specific devices. They could give a client a unique identifier string that never changes. Then the developer could use that however they please.
This is not true at all, roblox has no problem if you ban users out of your own game, if it would be against the terms of use alot of games that are on the front page would not exist since alot of these games have a script that will ban certain players.
Yes it is a bad user experience if you set that age limit for your game since alot of new players will not say that your game is the first one they have played on roblox.
No. You can’t see people’s IP’s or do anything to it. Your best bet is to have an active moderation team.
1 Like
Short answer: No, and this will never be supported
Long answer: In the past there were one or two times IP addresses were exposed to user code, and thus could be used for IP bans, however, IP bans are EXTREMELY frowned upon for many reasons. (Note: These have always been SUPER rare and afaik happened at most twice in the earlier days of Roblox, and, potentially was simply the same vulnerability at the same time, and at this point the chance of another one of those situations occurring should not be a concern to really anyone anymore so, uh, don’t be scared you’re gonna get IP logged by a Roblox game) IP bans are extremely over hyped and are in practice not effective against small operations of people (e.g. a random exploiter) but rather large operations such as botting operations because they tend to be restricted to a small range of IPs. This just comes down to the nature of how that works.
It’s actually entirely possible, and usually easy, to completely reset your router IP. Generally IPs are assigned to your router for about a day or two. If your router is offline, it won’t reserve the IP, and thus, eventually after about a day you’ll get assigned a brand now IP if your router has been off. This is one way to avoid an IP ban, however, the easiest way is just contacting your ISP to begin with. Most ISPs will allow you to request an IP reset with no question. This doesn’t get into issues with organizations, schools, coffee shops etc, really just public or organizational wifi, and doesn’t get into problems when IPs can be reassigned to other users, thus effectively they become IP banned.
The alternatives? Two alternative bans methods which are more commonly used in practice are HWID bans, and poison bans. I’ll start of with HWID because they’re a bit easier. An HWID is sort of just a collection of specs and hardware and stuff in a different form, unique to your PC, maybe a hash, whatever, its employed within Windows for determining key reusage I believe, for example, the key you have may only allow a small amount of changes to hardware before reactivation is required (generally this doesn’t include GPU or CPU or at least, will offer a lot of range afaik). HWIDs are better but still have large flaws. HWID spoofing exists, and, is again, another method that in practice just isn’t as good. HWID bans are again usually only better against botting operations which are using the same machine. If someone is desperate enough, they can spoof their HWID the same way they can get their IP reset and its arguably easier.
And now, poison banning. Poison banning in practice is basically just using user settings or cache files or whatever to track a client. An older example of where poison banning was employed was Eclipsis, and I believe Phantom Forces employed the same method according to the Eclipsis dev I spoke with. Poison banning out of the three is by far the most effective, as, when powerful enough, its possible to track a client perfectly, and track every account logged into it, etc. Afaik, from Roblox’s perspective this is a no no (especially relating to legality on their part as iirc their ToS/PrP sort of forbids them from this, so its their responsibility to resolve it). It’s not going to get you moderated if you employ it, its generally just a formality thing, afaik, Roblox states they do not employ this type of tracking, and thus, if a game employs it it becomes unintended.
In the history of Roblox Roblox has only ever IP banned a small few users as far as I am aware, I think the most notorious being Julius Cole, who basically (but I mean technically so) ended up scamming players on a mass scale, using stolen games and stolen content, making Robux off of them, until he’d eventually uncopylock the game when it’d run out of money making abilities, and he ended up making a lot of very hateful content towards the Roblox staff at the time. This ended up getting him IP banned and ended up killing several pretty popular games (at the time when 1k players was a lot 
), and I believe some content, such as Morph Magic, actually exist today publicly solely due to Julius’s actions at the time. (This was extremely long ago, and, Julius no longer does anything like this as far as I’m aware)
10 Likes
I’d like to note, that, your local IP and public IP are very different things. Your public IP (and the thing that’s available to websites and stuff) is just your router IP on the internet basically, and, its mandated by your ISP. (Generally afaik different ISPs and server operations and stuff get assigned their own ranges of IPs, so basically, they might get for example “IPs from the range X.X.X.X to X.X.Y.Z” hence why you’ll probably see at least the same first number in your public IP)
Getting your public IP from your computer through anywhere is done externally, basically, you connect to a website, the website tells you your public IP. For example, if you search “what is my IP” on Google, you connect to Google, Google sees your public IP, and Google just tells you it back pretty much. The only device on your wifi network that I’d expect actually knows your public IP and didn’t request it from somewhere is likely just your router (and even then maybe not in some cases, I’m not sure)
2 Likes