Hello, I’m currently in a very frustrating situation. My game 🦖Dinosaur Legacy: Saurian Odyssey - Roblox is being targetted by an exploiter to a point where I had to private the game so people stop losing their data. The exploiter was joining the game and kicking everyone. He then proceeded to join the associated discord server, where he admitted to hacking while being extremly racist and rude to our members.
What’s really frustrating is the game doesn’t get many players, so this is clearly someone who is doing it out of spite.
Does anyone have any experience with something like this? If so, how have you dealt with it?
Get better server side remote event protection. He shouldn’t be able to do this, you must have an unprotected admin script remote or something like that; unless your game is back door’ed but that’s a whole different story
This has to be something with an admin panel you or someone else created, he has to be firing a remote event that kicks the player. You should try adding a table check with the client to see if they are on the table, and if they are, kick the player
This is probably a lack of security on your admin commands and such. Make sure to check that whoever is sending admin remote events is on a table which contains all admins and such. Also check for strange requests for assets that arent in your game that you didnt make, it may be a backdoor.
You have unsecure remoteevents that are allowing the “hacker” (exploiter) to kick everyone from the server. These types of vulnerablities are what “hackers” love best.
Instead of taking reactive measures such as banning you need to make preventive measures by doing server-side validation.
So, it is impossible to kick other players on the client which means that you must have some sort of admin script that kicks players which is pointed out by other people in this forum. I recommend making it so that you have an array of authorised individuals behind who can use admin perms like this
local adminEvent = game.ReplicatedStorage.Remotes.AdminEvent
local admins = {
--your userids here
}
local function onEvent(player, command)
-- check if the player is actually authorised to perform admin commands
--[[
you can even do something like error(`{player.Name} attempted to use an admin command!`)
to catch out people using admin commands since you have a small playerbase and it would be logged in error reports
]]--
if not table.find(admins, player.UserId) then return end
--your admin code here
end
adminEvent.OnServerEvent:Connect(onEvent)
Then they might be remote spamming something that creates a lot of things on the server, try adding debug prints to your functions which have the capacity to be spammed and create a bunch of instances and do your own vulnerability testing with the current remotes in your game.
“Lost connection to server” sounds a lot like a DoS/DDoS attack. Since the only network tools Roblox provides for you are remotes, the best you can do is secure those. But, basically: there’s nothing you can do about it.
All exploiters need is the server’s IP address, which isn’t that hard to get. Then, they just put it in their software, and off it goes to crash the server. I’ve heard that a DoS/DDoS attack only does so on the main game place, so you could try moving it to a different place within the universe and then teleporting them there immediately. I’m not sure if that’s true or not, so don’t quote me on that.
Just don’t give a reaction and hope they get bored.
This kind of sounds like a DDoS attack. Maybe set up an entry game that, after a moment, sends them to the real game. And possibly check that your startup isn’t smashing into a mass load-up the second they log in. Put a pause on that also. Those logo screens can serve two purposes. One is to stop the instant power load that could be used against your program.
Other things that can help stop DDoS attacks:
Entry Game Buffer;
Create a small lobby or waiting room before players join the main game.
Use TeleportService:Teleport() after a delay to distribute logins.
Rate-Limit Teleports;
Use TeleportService:TeleportPartyAsync() instead of mass teleporting everyone at once.
Implement a queue system to stagger transitions.
Throttling Logins;
Track login attempts using MemoryStoreService or MessagingService.
If too many logins occur in a short time, temporarily deny entry.
Async Loading;
Load assets incrementally instead of all at once on startup.
Use task.wait() or coroutines to space out resource-heavy operations.
I’ve been told I’m odd for adding task.wait(#?) to the top of my scripts I can wait to be loaded for a bit… This is the reason I do that.
if you have any free models (that have scripts in them) in your game then some of them might have backdoors I would recommend not using any if this is not the case then its probably your remote events there not secure enough
the hacker could be abusing your remote events because there not secure
make sure you don’t have any remote events that create new instances often if you do have events like these make sure you add some kind of cooldown
also make sure you use the type() and typeof() methods to verify are parameters / arguments that your getting from the client
make sure you sure you don’t have any functions that can cause the server to lag if called to many times if you do you need to add a cooldown or add few if statements that check if the user is allowed to call these functions
make sure you use the new ban api roblox provides you with to ban the hacker it should also prevent him from joining on a alt account.
Not jumping on you in any way here, but models/objects cannot have “backdoors.” Only a script can create that. If you’re not thoroughly going over a free model, then you’re not learning anything from it, and just dropping things into your program is somewhat risky to say the least.
Using/LEARNING from free models is a gift you should be doing, and thoroughly going over them.
There is nothing better than a working model to learn from..
You can type classname:Script in explorer filter to view all scripts in the game.
Depending circumstances I will write command line code to find scripts in a game.
local filter = {MyScriptName = true}
for _, script in workspace:GetDescendants() do
if script:IsA("LuaSourceContainer") and not filter[script.Name] then
print(script:GetFullName())
end
end
Sorry for bumping this, but for anyone interested, the issue was a RemoteEvent that I didn’t have secured. The remoteevent was responsible for transforming the player into a dinosaur, unsecured it meant that exploiters could easily crash the server.
What the RemoteEvent does
The RemoteEvent handles nearly all dinosaur-related actions in the game. Depending on the context sent from the client it can spawn and set up a dinosaur character for the player, adjust stats and movement speeds, trigger combat attacks or stomp effects, play sounds, handle hunger/thirst depletion, relocate dinosaurs, and broadcast visual/audio effects to other players. This isn’t a good way of doing this, relying on one RemotEvent for all of this was a bad choice from my side.
The main problem was the spawning of dinosaurs because 1) it relies on a player existing 2) models are cloned 3) models are destroyed 4) Large module scripts are being required
Before the fix
This is how the RemoteEvent looked like before the fix:
Dinosaur_Remoteevent.OnServerEvent:Connect(function(player, context, ...)
local Args = {...}
if context == nil then return end
if context == "DinosaurSelected" then
-- do heavy stuff
end
end)
After the fix
local RespawnedPlayers = {}
Dinosaur_Remoteevent.OnServerEvent:Connect(function(player, context, ...)
local Args = {...}
if context == nil then return end
if context == "DinosaurSelected" then
if RespawnedPlayers[player.Name] then
return --// respawning too fast
end
RespawnedPlayers[player.Name] = true
task.spawn(function()
task.wait(1.2)
RespawnedPlayers[player.Name] = false
end)
end
end)
This is literally it, it stopped the DDOS attacks. So much money and time would have been saved if I had done this earlier. This might not work for everyone, but it did work for me. The most important thing is to make sure that your remote events are secure.
