Securing remotes against replay attacks

Secretum_Flamma · January 25, 2023, 7:28am

Part of my combat system verifies hits by firing a remote from the client with data about the hit. (Where was the client aiming? Where were they facing?) How can I secure this remote against replay attacks? E.g., an exploiter successfully hits their opponent. As the verification remote fires, the exploiter sniffs this remote, and fires it again. Because the remote is identical to a successful hit, it damages their opponent twice.

From what I’ve read, people defend against these attacks by creating a one-time token that prevents the message from being sent again, but I’m not sure how I could implement that in the context of Roblox.

Timestamps wouldn’t work as an exploiter could fire the remote with a different timestamp, with every other argument identical. Tracking each verified hit and preventing that exact same one from being used again wouldn’t work, as it’s possible for two hits to be identical without exploiting.

Any ideas would be great!

dadutchboy3 · January 25, 2023, 7:50am

correct me if im wrong but i dont think thats something you have to worry about. if you use sanity checks and/or a cooldown and the exploiter sends the same data again, it will be invalid and it wont do anything

Secretum_Flamma · January 25, 2023, 8:11am

Thank you! Your reply made me think of an idea, validating input on both the server and the client, making replayed attacks unviable.

My system will show the effects on the client instantly, while the actual validation will be performed on the server.

Let me clarify what I mean by this reply in case anyone runs into the same problem.

My previous system detected hits on the client, then fired a remote with data about this hit to the server, which then performed validation. However, gathering data solely from the client for validation made replay attacks possible. By detecting hits both on the client, and on the server, replay attacks won’t work.

Secretum_Flamma · January 25, 2023, 8:19am

@AsynchronousMatrix, please feel free to add on. (I noticed you typing)

AsynchronousMatrix · January 25, 2023, 8:21am

Aha, here comes my totally mad idea on how to create security & embed it into remotes! While making an exploiters life impossible to deal with!

The Handshake!

In my opinion, every remote system at hand should have a handshake system, be this through the middleware provided by your remote module, or through an obscure method to set a handler for remotes.

The handshake’s goal is to tally up the remote count on both the client and the server, and if either or is outdated or not accounted for, then a third party has started to send remotes on your behalf

The Random!

This is more of a signature system, but essentially on startup when the client first starts, the server will send os.time or something alike to the client, giving them quite a big number.

This numberObject:Next() will then be thrown into the remote request, now you’ll have an obscure way to fetch and retrieve server synced values.

(for reference, numberObject is a Random | Roblox Creator Documentation)

The Common Sense

Protect your remotes as much as you want, but ultimately secure your server! Developer services to catch out bad arguments and what not, if your server isn’t secure, adding a middleman will not be the solution.

AsynchronousMatrix · January 25, 2023, 8:22am

Ah yeah I just wanted to throw down some ideas, feel free to use them or not

Implementation can be really tricky to do though…

Secretum_Flamma · January 25, 2023, 8:25am

Actually, I played with this idea a bit myself! I used a vanilla Lua 5.1 implementation of SHA-512 to hash positions of players on the server. Every time a player moved, I set an attribute to this hash from the server in ReplicatedStorage. By doing this, and requiring the client to send this hash back, I could verify that they actually saw them at that position. They couldn’t fake a position that never replicated onto their client because they wouldn’t know the key that was randomly generated using the server’s GUID.

I removed this as it was straining the server too much, but it’s a fairly foolproof way of forcing the client to only pass info that 100% came from the server.

AsynchronousMatrix · January 25, 2023, 8:28am

You might still be able to do this, but make sure you utilise the parallel programming roblox offers, it would run this in an entire different luau VM so it shouldn’t have an effect on your game.

Though this is quite performant never the less, maybe there’s a SHA-512 equiv you can utilise that is more performant?

You can find the Sha-257 implementation here though, I find this to be performant and might provide the same layer of obscurity:

github.com

datalinkhq/rbx-datalink/blob/development/source/Components/Sha256Component/init.lua

--[[
	Luau-Sha256 - Copyright (C) 2021, Luc Rodriguez (Aliases : Shambi, StyledDev).

	Copyright (C) 2021, Luc Rodriguez (Aliases : Shambi, StyledDev).
	Permission is hereby granted, free of charge, to any person obtaining a copy
	of this software and associated documentation files (the "Software"), to deal
	in the Software without restriction, including without limitation the rights
	to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
	copies of the Software, and to permit persons to whom the Software is
	furnished to do so, subject to the following conditions:

	The above copyright notice and this permission notice shall be included in all
	copies or substantial portions of the Software.

	(Original Repository can be found here: https://github.com/Shambi-0/Luau-Sha256)
]]--

local bit32_band = bit32.band
local bit32_rshift = bit32.rshift
local bit32_bxor = bit32.bxor

This file has been truncated. show original

Secretum_Flamma · January 25, 2023, 8:32am

Thanks! Honestly if I were to use this method, I would use a more performant algorithm and use it on something that updated less quickly. SHA-512 is already overkill for passwords, a non-cryptographic hashing algorithm would be more than fine. Probably MD5 or some other fast but relatively secure one.