Remote Event Security

Hey guys, I’m an advanced scripter and I’m just curious about what techniques you guys have for remote event security, specifically damage events.
For a long time I’ve used a simple authorization code which obviously would work to no avail if the client has a local script decompiler.
If I were to do client to server and back to client in an encryption style manner, it wouldn’t be responsive enough for what I’m trying to do.

What would you guys suggest? Remember this is for a damage remote event for things such as guns, etc…

1 Like

Network-wise, the client should only tell the server “I’m firing my gun in this direction”. The server should do the rest, including damage.

5 Likes

FYI, you don’t need a decompiler to get around an authorization code - you can just hook into the remote object and scrape the auth code from the arguments when it’s fired.

When it comes to things like guns, it’s a matter of striking the balance between minimizing input delay and maximizing protection against malicious clients sending false data. You also have to bear in mind issues caused by latency in respect of trajectories. A simple approach is to allow the client to calculate the ballistics and hit detection for bullets, and then notify the server of some basic information about that shot which it would then attempt to verify. For example, you could send:

  • The position the bullet was fired from
  • The direction the bullet was fired in
  • The character that was allegedly hit
  • The position of the hit point

You can then get the server to check if those roughly make sense (is the hit point in a similar direction from the start point to the bullet direction etc.) without performing a full ballistics simulation on the server because this would be out of sync (players will have moved in the meantime).

This is by no means a good or the best way to do it, but hopefully it gives you an indication of some of the things you need to be thinking about. Systems like these are never perfect - robust ones are a product of careful thought and plenty of experimentation.

12 Likes

encryption would face the same problems as your “authorization code”. There is no magic solution to this but you should focus on what is feasible a that moment in gameplay and include the correct validation before processing any request.

Obfuscation should also be avoided as they can impact on performance badly when done incorrectly and often only for a small complexity increase.

Creating a protocol diagram of how remote event/functions are handled in your game may help.