Need help stopping chat system RemoteEvent spam exploit

Roblox does stop them, but there is always a workaround. Its been this way for years.
You can’t prevent it entirely only temporarily. They’ve gone far enough to simulate the Roblox environment to get the API working.

No and sort of. You can use server and client preventative measures to detect if some behavior you don’t want is occurring or some unknown object enters the environment.

You know, an idea would be to have an internal function that checks to see if a script existed initially or not. You can’t script at runtime anyway. So if there’s a new script (asset id doesn’t exist) just remove it.

I’m sure there are a variety of injections, but this would solve this one.

Each asset must have a unique id I’m sure…?

I only gave him a base of what he could do. He could go for the remote and make an OnServerEvent function that checks if the message is over a certain length. I understand kicking is bad, but it’s one of the only options that he could do aside from deleting the message (which from what i understand might require some scripting).

Developers cannot stop exploiters from injecting scripts into their machine. It’s beyond what we can do. If you insert a script with a nil parent, there’s no way to detect this with ChildAdded or any API event. Exploiters can also insert scripts/objects into RobloxLocked containers that developers can no longer detect. The most we can do is try to stop what these scripts are trying to execute.

It’s a very old security flaw that engineers at roblox are trying to patch and until now, there seems to be ways around their patches.

If that’s the case then what is the point of making games? If I kick someone or I have a script that kicks someone, it’s so they have a bad user experience. Even if I just wait for a patch, it will get fixed, i’d rather tarnish my games experience as it’s for a once a week thing for a very certain experience then wait for a patch.

Keep in mind it is not normally possible to ‘Inject’ scripts into a ROBLOX Server instance and have it execute server-side. Furthermore, :FireServer() is not available on the server.

1 Like

If you found this in a toolbox model,There’s usually more ,Just search up “Script” in your Workspace or whatever,And it’ll show all the scripts in the game, Usually named "inject " ,“anti-lag”,“anti-exploit”,etc. just right click and delete it.

1 Like

I am aware of this. I was asking because if this script was on the server, he could have a malicious plugin that injected the script in studio.

If the script was on the server, then I don’t think it would be possible to “sends a lag storm”. This is because the script would not be able to run and an error would be displayed, as FireServer() is a client only method.

This seems like an issue on Roblox’s part. It’s spamming a default remote event made by Roblox’s builtin chat system which gets spammed to have a user repeatedly say a phrase. I recommend you learn how to make custom modules with Roblox’s chat system and make a custom module to prevent spam or find one. From what I know Roblox does already prevent spam though?

1 Like

Why can’t we just have nil parents no longer be a thing?

I mean, if it doesn’t have a parent, wouldn’t it not exist?

that is not possible unless you use a custom chat system that does not use remoteevents.

the client chatbox sends a request to the server asking it to post that message using that remoteevent.
and then this is considered a problem in the backend.

1 Like

Yes, but a remote event is required to send from client to server or visa versa.

Would be like trying to call someone without a phone.

The highest hierarchy must have no parent so I guess the entire environment doesn’t exist :wink:
Anyways nil has various use cases and is the same mechanism is actually used for :Destroy() except it breaks event connections. It still exists if there is a reference to it in a script.

Well i’m sorry to say, this is possible and it happens with the typical chat system. On-top of that, it uses the /e command to bypass the typical roblox chat text limit. At least so I assume.

  1. Yes
  2. Yes

The problem is the methods for doing so are few and far between. They get patched by exploit developers quickly and are easily bypassed by most exploiters. Your best bet is to rate limit chat messages from the server (or even better, queue a few requests to prevent slowdown while still allowing content).

Example:

local keeper = setmetatable({}, {
	__mode = "k" -- This will allow players to be garbage collected when they leave preventing memory leaks
})
local queue = {}

local timeout = 0.1 -- Seconds between requests
local handleRemote
handleRemote = function(player, ...) -- Function to handle remote requests
	queue[player] = queue[player] or {}
	keeper[player] = (keeper[player] or 0) + 1 -- Increment keeper for player

	if keeper[player] >= 5 then -- >= 5 requests in 0.5 seconds
		table.insert(queue[player], setmetatable({...}, {__mode = "v"}) -- Add arguments to queue to recall this function
	else
		-- Your remote code
	end

	delay(timeout, function()
		keeper[player] = keeper[player] - 1

		if #queue[player] > 0 then -- Process a queue item
			while #queue[player] > 8 do -- Remove extra queue items above 8 queued items (completely ignore them to prevent insane remote latency due to too many queued requests)
				table.remove(queue[player], #queue[player])
			end
			local args = table.remove(queue[player], 1) -- Take the first item from the queue
			handleRemote(player, unpack(args)) -- Call the handleRemote function again (it'll be requeued if others are queued)
			-- Because this function gets called again the next queue item will be used after timeout
		end
	end)
end
remote.OnServerEvent:Connect(handleRemote)
2 Likes

This is an open discussion for everyone, including malicious users. Having direct access to the source is a privilege that should be entrusted to whom OP believes is trustworthy.

For cases like this I personally would only trust a verified white hat/black hat,a user with credible knowledge on exploitation I.e @Autterfly

2 Likes

The script you provided does not crash servers. It properly says “Your message exceeds the maximum length”.

Do you have another repro available?

EDIT: Also don’t even bother trying to detect exploiters client-sided, they just run the code directly in roblox’s VM. There’s nothing you can do.

If that’s the case then there’s no point of making games. I believe your statement is false.

Is there a point to making anything then?

When all these companies constantly have security breaches (even the forum software you’re using right now) nothing is fully secure, but ROBLOX gives you the tools to create a proper client-server model.