Recently, player bots have begin to surface. These bots are often used by exploiters to bot their own games to the front page, but I’ve seen these targeted against developers to get their games under review, or even their accounts falsely banned.
Here’s an excerpt from the most popular botting service being sold:
Robot does not wrap the Roblox client, it just mimics its network implementation. That’s why you can use it in any platform, even if Roblox is not supported there!
This explains that the bots don’t actually involve opening the client at all, they only mimic the networking level by sending only the necessary place joining packet(s).
Essentially, this means the bots do not:
- Run local scripts
- Spawn characters
- Load game data
We can use these limitations to our advantage by challenging their client in many different ways.
I’ve devised a fairly simple method to stop them, you simply have a RemoteEvent and have the client ping it within a certain amount of time after joining, and kick them on the server if they fail to respond. This does mean that players who have extremely high latency could fail the challenge, but if you give them 30 seconds it should be plenty enough for even the most laggy of connections.
I’ve attached a place file below that demonstrates how the detection works.
bot_challenge.rbxl (15.5 KB)
I tested this theory by having a friend attempt to bot this very game (with 1,500+ bots) and every single bot was kicked in a timely manner.
Do note that ultimately this is security through obscurity, and it is possible for bots to adapt to these “challenges” by writing the packets to do so. ROBLOX their selves have recently implemented a Lua challenge to attempt to deter these bots, but alas it was quickly bypassed.
Often or not, these “bots” are sold to people and are proprietary, there is no source code available for you to modify, meaning that if you want to bot a developer’s games who has a “challenge”, you have to rely on the bot creator to implement a workaround for that specific game.
If enough developers make their own challenges (that vary), It would be completely impossible for the bot creators to constantly update their service for every single game that has a different challenge.
In this thread we can discuss various “challenges” and ideas to combat the bots.
I’ve seen people recently implement things like
CharacterAppearanceLoaded checks, these aren’t computationally expensive for the bots at all, and could trigger false positives from users with laggy connections.
The most sufficient option is the ping check (as I mentioned before), because it involves firing remotes - which would involve building the game’s datamodel.
The simplest solution is often the best one, don’t ruin user experience (by adding captchas) because of an issue that ROBLOX needs to address.