Server-Sided AntiCheat

How should I go about creating a server-sided anticheat?
I see a-lot of people saying " oh its as simple as if walkspeed > 16 then" but this wont stop a exploiter from hooking there speed-value and masking it.
Same could be said for jumppower.
Also theres so manyyyyy velocity related cheats to cover.

I know a one-size-fits-all is not a thing but is there something close I can do for speed and flight?

I think a pretty simple way to detect any cheating would be to ban (or kick) the player if their velocity is past a certain point where it would obviously be malicious.

This should work pretty well because it shouldn’t matter whether the player is jumping or sprinting or doing anything really fast because they all impact velocity.

TLDR: don’t just monitor walkspeed, don’t just monitor jumppower, instead be checking the players velocity, if it gets too high you’ll know something is up then you can kick them.

I have thought about this but than you will have exploiters figuring out that threshold and in some case’s roblox can act goofy and they might reach that threshold on accident, this is also kinda of slacking method because we will never know what they got flagged for just there velocity.

exactly, because physics in roblox can be broken and fling you 834759km which would obviously kick them, and if you just detect the velocity when they are grounded they could just fly. and then theres ping. maybe you could only flag them but also check for other things

To be the most secure, set the character’s network owner to the server. They can’t do anything about it.

However, you could see if they jumped about 5 studs in one frame and kick them.

I have not figured this out yet, but you can check the humanoid state type of the humanoid. If it’s Running when they don’t have a FloorMaterial, you can kick them. I’m not sure if humanoid state types replicate, but if they do this won’t work and you will need to use something else.

Here’s a way to detect two common exploits (since other people have answered about speeding/jumping):

For flying you can raycast downwards from the character to see if the character is in the air, and then kick them if they’ve been in the air for a certain amount of time customized to your liking.

For noclipping there’s a humanoid state that gets fired when a player walks through an object called StrafingNoPhysics, you can kick them when this is fired. Make sure to create a whitelist of objects (example gun bullets) that can pass through the character to reduce false-positives.
Example:

player.Character.Humanoid.StateChanged:Connect(function(state)
    if state == Enum.HumanoidStateType.StrafingNoPhysics then
        player:Kick()
    end
end)

Overall however I don’t recommend spending too much effort on an anticheat, in the end the exploiters will always find a way around whatever you do. Instead I would make sure to properly secure your game instead so that exploiters cannot break it fundamentally. This would include things like RemoteEvents and datastores.

There are ways of flying such as messing around with the character’s CFrame that do not change the humanoid state type, to answer your question.

good idea except you dont need to raycast you can use the humanoid properties cus itll be laggy otherwise

i thought of something else, people can just set their characters cframe on client and it will replicate to the server but the only thing i can think of is checking every frame if their cframe thingy has fluctuated by a certain amount

I’m unsure if you saw my second post but exploiters have ways of flying without invoking humanoid properties. Raycasting is also very unlikely to be laggy, it would not lag at all if you raycasted say every 0.5 seconds. The only case where there would potentially be lag is if you raycasted on runservice, and even then it’s unlikely there would be lag.

Avoid doing this. It would reduce the chance for exploiting but what you lose is players having responsive character control. Arguably, being more annoying than having the occasional exploiter in someone’s playing experience.

Yup thats one of the problems with MainLoop’s solution.

Hmm, I have thought about something like this.

I’m not sure I agree on the “Overall however I don’t recommend spending too much effort on an anticheat, in the end the exploiters will always find a way around whatever you do.”

And also I have seen noclip scripts spoof or not “spoof” but bypass using “StrafingNoPhysics”
Also needing to whitelist all the parts would be a pain in the ass.

Could I possible raycast every tick and every position the player makes and if it breaks the raycast that means they no-clipped?

Hmmm.
Is there no responsive server authority

Server authority is not implemented into Roblox yet. Controls to the client will replicate to the server with a half-second delay.

This is fine if you’re able to somehow “predict” the next move. I haven’t come across an algorithm that works, but it most certainly involves AI.

Perhaps Chickynoid would be of some interest.

game.Players.PlayerAdded:Connect(function(Player) --omg the player joined
    
    Player.CharacterAdded:Connect(function(Character) --omg the player got character
        while true  do -- a loop
            local OldPosition = Character.HumanoidRootPart.Position * Vector3.new(1,0,1) -- storing the old position
            wait(1) -- waiting a second 
            local NewPosition = Character.HumanoidRootPart.Position * Vector3.new(1,0,1) -- getting the new position
            local ActialSpeed = (OldPosition-NewPosition).Magnitude -- getting the player speed
            print(ActialSpeed) -- you can remove this if you want 
            if ActialSpeed > (Character:FindFirstChildWhichIsA("Humanoid").WalkSpeed +5) then -- checking the speed the player got  also the +5 part is to give lower chance for funny false kicks
                Player:Kick("Sussy WalkSpeed") --kicking the exploiter if he got caught 
            end
        end
    end)
end)

take this for free
Edit: the explaining of this is
it checks the speed of the player by checking the distance between two points if its more than the speed of the player by 5 studs then the player will be kicked for speed exploits
im lazy to say how this works but to make it short you check the distance between old position and new position if the distance between them is more than the player’s walkspeed in the server by 5 then it should be exploiter because in the client it will be something else

omg another edit: it might falsely kick players that got teleported by a portal so put a bool value and make it true or false depending if the player was being teleported by portals
also it might be good to remove fly exploit if they use some high speed flying
you can also detect if they used fly exploit directly when they use it but it will be client sided and it checks the humanoidrootpart if it got a body velocity (which is what makes them fly)
you can check if it got body velocity by making

game.Players.LocalPlayer.CharacterAdded:connect(function(Character)
Character.HumanoidRootPart.ChildAdded:connect(function(Child)
if Child:IsA("BodyVelocity") then -- im not sure if i wrote Body Velocity right because im bad at english smh
-- the punishment you want
end
end)
end)

but you dont need that because exploiters can just use a funny thing which is a anti kick that will break everything

Hacking is a lot of work, it’s not usually worth it when the payout is too small. Skids especially are going to go hack a different game if their hacks aren’t having enough effect.

Set the threshold somewhat high and be lenient. Ignore verticality for the speed checks, have a separate check for the Y axis. That way falling, jumping, and walking up inclines won’t trigger it. Then add an internal ‘strikes’ system that is more lenient closer to the threshold and somewhat more strict when it catches someone moving much faster. Possibly make it more lenient when ping is high, or increase the step so that checks cover multiple seconds of movement to minimize the effect of stuttering.

kicking after first detection is a bad idea, its way better to teleport the player back and set his char network ownership to nil for a second. There will be TONS of false positives caused by ping and other stuff such as character getting flinged.

this was the first punishment i got in my braincells instead of sending them back to the old position but what moving network ownership do?