Preventing a server crashing exploit

Hello, I’ve been recently notified about a new (or old) exploit that has just been uploaded to GitHub and has crashed a few popular games so far to my knowlegde, I’m looking to try and prevent this from happening

GitHub repo: https://github.com/tonumber/logservice/ ← Repo readme contains bad language
GitHub Raw: https://raw.githubusercontent.com/tonumber/logservice/main/ui.txt

Upon somebody running the attack, in ServerJobs, the Write Marshelled skyrockets to the top

It takes around, 15-20 seconds before the server become un-responsive, the server console states that a user is spamming remote events but I believe it isn’t spamming remotes it can find in ReplicatedStorage but actually is abusing the LogService (which is obviously tied to remotes)

Just from going off of the message in console, I attempted to implement my own fix to the issue but it’s barely effective

If this has already been resolved and there is a patch out there for it, please tell me and I’ll take down this post! Many thanks,

I’ve been working actually with my friend of mine Kavra, we’ve been trying to prevent Server-Crashing Exploits but there is actually no way (from what we’ve seen), but you could try your best making it more harder to prevent crashing Servers, you’d have to go into detail and contact ROBLOX about this issue as it’s only ROBLOX who can fix it.

But that’s just our response, so hopefully they fix it somepoint.

There might be solutions, or way around solutions but there is no way to prevent a server to crash as it’s only available to engineers and programmers I’d assume

My first thought is that it was exploiting ChatService some way, so I guess you could fork it and manually add a fix to it, but it seems (looking at the code) that it doesn’t exploit ChatService at all!

I’ve never used LogService before but I’m guessing it’s for error reporting and client performance monitoring

Yep, I’d assume so, if there is a chat exploit you could easily make sure the Text isn’t spammed and if it is, you can find the local player and disable their chat gui or kick them.

These lines of code seem to be the crashing payload:

for ie = 1,400 do
	for i = 1, 400*10 do
		spawn(function()
			game:GetService("LogService"):RequestServerHttpResult()
			game:GetService("LogService"):RequestServerOutput()
		end)
	end
end

I’m unsure of how I can raise this issue to Roblox staff, where exactly could I got to report this?

Usually ROBLOX doesn’t even get much awareness but I believe you can report it in:

Or,
Report it (if you have the rank) for Bug Reports I’m pretty sure

I’ve dropped them a email just now! I didn’t know they had a “Exploit report” section, many thanks, I’ll update you if I get anything back from them

Sound’s great to me, hope that they’ll actually look into this issue :")

https://developer.roblox.com/en-us/api-reference/event/LogService/MessageOut

You could listen for this event to be fired and kick the client for which it fired for.

It that client-side or server-side? If it’s client-side then, it wouldn’t be the best idea

Client-sided, but it’s a step in the right direction.

Testing this, it seems like the client constantly fires it upon a new entry in the console, wouldn’t be the best idea or you could check for it runs 100 times within a seconds then kick them

Yes, any time print/warn is called on the client-side the event fires.

Has anybody found a fix for this? My game is currently experiencing this issue, it’s been causing huge issues among my community - and frankly killing my game.

This exploit (or varient) has been reported to Roblox, but I’ve heard nothing back from them yet

There is also DDoSing on ROBLOX which has been quite relevant. ROBLOX Staff has acknowledged it for a year yet, still nothing in place to help protect from attacks.

https://devforum.roblox.com/t/server-ddos-attacks-becoming-problematic/1072624

I really do doubt that it is a Denial of Service attack, there must be DDoS migitation, it’s a must have for almost every platform in the world

It’s a real thing, search DDoS on the Dev Forum. There is multiple threads with proof of it. That is ROBLOX’s current issue, is applying DDoS mitigation. There is rumors that Amsterdam servers have mitigation applied as some sort of testing to fix it. However quite a bit of developers have tried replicating this to find it hasn’t quite worked for them.

There is NO doubt that Denial of Service attacks is relevant on the ROBLOX platform. If you don’t believe me, actually read every single comment on that thread I linked. Major genre developers have reported these issues, with evidence as well.

Eh, when I see people talking about how the servers are going down, they instantly jump to the term DDoS, Discord has DDoS mitigation, and so should Roblox, it just doesn’t make sense for them not to. It’s hard to believe it was an actual impactful DDoS attack when people always jump to the reasoning of “oh, it was a ddos attack, for sure”

DDoS mitigation is kind of a double edged sword for video game platforms because it adds extra steps in network procedures that can lead to higher ping/latency.

Roblox is constantly fighting exploits and more recently has patched an HttpService vulnerability that allows exploiters to spam Http requests and crash games. Unfortunately there isn’t much you can do programatically to stop your servers from being crashed.

I looked over your repo and saw you were using LogService:RequestServerHttpResult(), could you elaborate a bit more on what the purpose of this is? (Is this something necessary for your game to run?)