Place botting explanation & ways to combat it

EDIT: as of 7/7/2020 the information below is mostly out-of-date, bots are capable of much greater things and can circumvent the protection I came up with below.

Recently, player bots have begin to surface. These bots are often used by exploiters to bot their own games to the front page, but I’ve seen these targeted against developers to get their games under review, or even their accounts falsely banned.

Here’s an excerpt from the most popular botting service being sold:

Robot does not wrap the Roblox client, it just mimics its network implementation. That’s why you can use it in any platform, even if Roblox is not supported there!

This explains that the bots don’t actually involve opening the client at all, they only mimic the networking level by sending only the necessary place joining packet(s).

Essentially, this means the bots do not:

• Run local scripts
• Spawn characters
• Load game data

We can use these limitations to our advantage by challenging their client in many different ways.

I’ve devised a fairly simple method to stop them, you simply have a RemoteEvent and have the client ping it within a certain amount of time after joining, and kick them on the server if they fail to respond. This does mean that players who have extremely high latency could fail the challenge, but if you give them 30 seconds it should be plenty enough for even the most laggy of connections.

I’ve attached a place file below that demonstrates how the detection works.

bot_challenge.rbxl (15.5 KB)

I tested this theory by having a friend attempt to bot this very game (with 1,500+ bots) and every single bot was kicked in a timely manner.

Do note that ultimately this is security through obscurity, and it is possible for bots to adapt to these “challenges” by writing the packets to do so. ROBLOX their selves have recently implemented a Lua challenge to attempt to deter these bots, but alas it was quickly bypassed.

Often or not, these “bots” are sold to people and are proprietary, there is no source code available for you to modify, meaning that if you want to bot a developer’s games who has a “challenge”, you have to rely on the bot creator to implement a workaround for that specific game.

If enough developers make their own challenges (that vary), It would be completely impossible for the bot creators to constantly update their service for every single game that has a different challenge.

In this thread we can discuss various “challenges” and ideas to combat the bots.

EDIT:

I’ve seen people recently implement things like CharacterAdded and CharacterAppearanceLoaded checks, these aren’t computationally expensive for the bots at all, and could trigger false positives from users with laggy connections.

The most sufficient option is the ping check (as I mentioned before), because it involves firing remotes - which would involve building the game’s datamodel.

The simplest solution is often the best one, don’t ruin user experience (by adding captchas) because of an issue that ROBLOX needs to address.

Thank you for a very informative thread!

I have a question:

1. Do bots disconnect after 20 Minutes because of Idling?

I’m not sure with this, but they should. Since they count as normal players.

If they do not spawn characters, you can check for their character and kick if it doesn’t spawn

As stated, it would be up to the individual developer to set the challenge.

As in my case, I have starter characters disabled in one of my games.

In some botting services, there is an option to disconnect the bots after a certain limit / time.

But as far as I know, I don’t think they will get kicked for being idle since they can persist their connections and send activity packets every so often.

My method is a ping test plus character check tbh

Does anyone know if kicking a bot in like 10 seconds would affect their ability to like/dislike a game? I’m primarily interested in stopping this for my upcoming project.

Also good thread! I think it’s fun making security checks >:)

Unfortunately I don’t think you can prevent that. It’s a sad reality, but perhaps ROBLOX will eventually do something about it. (I know they have been trying, but It’s a complex issue).

That’s a shame. If they forced you to play a game for a certain amount of time before being able to rate it I could manually kick the bots before they become a problem.

That’s actually a good idea. Consider posting it in #platform-feedback:engine-features, or wherever appropriate. I’m conflicted if it would be considered a web feature, or an engine feature.

This is really cool, and I’m definetely going to find great use for it.

There was something that I was questioning making before. I was considering making a script which sends a bunch of player data to a web API, like chat messages, movement, etc. The API would then use some sort of machine learning algorithm to determine if that person should be flagged as a bot. The more games that use the script and the more people that join those games, the smarter it will become and the more bots that will be detected. It would kind of be like reCaptcha, but instead of tracking mouse movement and all that other data, it tracks all the player and character data in the game and past games it joins.

Edit: It could look at join date, avatar, their inventory past joined games, accounts with similar names, chat messages, interval between messages, message similarity, etc

The question is if there is such a simple (granted temporary) solution why hasn’t Roblox implemented it themselves yet? Correct me if I’m wrong and don’t understand the premise of this fix.

I have a small question on this. I am implementing this into my game currently, and in the game, I do manually load the Character from a script which seemed to affect the repeat wait() until client.Character. Since I manually load the Player’s character in when the Player has finished loading all of the game’s assets, would just pinging the server after the Player has loaded the assets work aswell? You said that they don’t Run local scripts so this should be safe and work, correct?

They’ve tried but it’s not simple to implement a global solution since if it’s bypassed, it’s for all games. If developers have different challenges it’s impossible to constantly update a bot for each game.

This is a really neat post and I definitely appreciate the new insight on the subject.

Though, as helpful as this is, it doesn’t solve botting dislikes or likes which is one of the BIGGEST security issues Roblox has to date. Dislike/like botting is an epidemic no one but Roblox can fix realistically.

As far as I know you can only shoddily prevent dislike botting by kicking any players that are under a certain age (1 < day old accounts are kicked). Your method you’ve introduced. And a couple of other methods, but these are band-aid fixes onto a gushing wound.

But this obviously doesn’t prevent the frequent botted games getting 1k, 5k, 10k, even 100k. Even reputable games like Adopt Me and others have been botted before.
Usually games that get player-botted have horrible like/dislike ratios but who’s to stop a semi-decent game or even a good game with good ratios from being boosted from a couple thousand bots?

I won’t touch on it too much since it’s a bit off-topic but don’t even get me started on how much the Library received botting issues a few months back.

TLDR This is awesome, thank you . I just wish the actual problem was cut at the root.

I did have a question though. Where are some sources on this? I would personally love to research more on this for more ways to prevent this until Roblox fixes it.

Instead of each game having its own challenge, it would be possible to make a general solution.

Essentially the server generates a problem. This problem would be hard to solve, but easy to verify. Think proof of work bitcoin style.

What this means is that a client would have to solve a somewhat computationally complex problem in a limited amount of time. An individual computer would be able to solve it with little problems. However a bot that generates thousands of joins would need a substantial amount of computational power in order to answer 1000s of these questions, something that these bot users likely do not have.

While that could stop the bots that chat in-game to go to sketchy sites for free robux, I highly doubt that it would stop the dislike/like bots.

Correct me if I’m wrong, but they can still dislike/like bot the game even if they didn’t finish the problem if this were to be implemented.

It’s already been stated before, we can’t stop dislike/like bots. But the method I listed will stop player botting your own game (for the most part).

Basically summed it up perfectly. The real problem has to be dealt with by ROBLOX, but as of right now we can only fight back partially.

This is very interesting. I have had one idea I’ve never implemented and eventually shot down, but it’s much more basic. Its simply just creating a giant “X” button on the player’s screen and if they don’t click within 5 minutes or so, kick the player…

But obviously, 5 minutes is too long and I can’t tell if it’s just a bot or a player getting a snack lol