Sprinting with Filtering Enabled

As far as I know/knew. When you had filtering enabled turned on changes that happened locally on the client wouldn’t be able to replicate to the server. So the expected behavior of changing the walk speed of a humanoid to that of a more appropriate sprinting/running speed should cause the player to rubber band back as the local player is in a position the server shouldn’t expect them to be at. Thus setting their position back to the original.

But this isn’t the case. Changing a humanoids walk speed in a local script seemingly replicates this to the server. Wouldn’t this let exploiters use speed hacks to move fast throughout a game. Say a racing game? Do anyone know if this is intentional behavior? And are there any methods or ways to prevent cheating by speed hacks?

When you change the humanoid’s walkspeed on the client, it doesn’t exactly replicate everything to the server. Only the position of the character replicates. If you check the humanoid’s walkspeed on the server, it’ll still say it’s at whatever it was before you set it on the client. The player’s character is controlled by the client, which means they’ll be able to appear as if they set their walkspeed on the server. Another example of this is if you set NetworkOwnership of a part to a player, that player will be able to control where that part is for everyone.

There really isn’t any way to detect this well because if you try to detect it on the client, that’ll work if they change the property of the humanoid. But exploiters will always be able to destroy/disable this script, or simply make it return a fake value which would not get detected for exploiting. If you go about this on the server, you can check the distance from their last position, to their current position. If it’s over a certain distance, they’ll get the punishment. There’s mainly 2 bad things about this, one is that if the client has high ping, they can get kicked. You can “rubber band” back the player if you would like. Another bad thing about this is that it will take up a lot of the server’s activity. Since you’ll have to be constantly checking.

TL;DR
Yes, this is the expected movement. And no, there are no decent ways to prevent exploiters from speed hacks.

Hackers are like local scripts, they have access to do all the stuff that a local script could. My best suggestion is to make a local script that tracks that, and make a script that will name that script something random. If possible, make another script that tracks that script and when it gets removed or disabled, it either clones it or sends a message to the server to kick/ban the user. The disadvantage of that is if the script gets removed from another local script, not a hacker, then the user will be falsely banned/kicked. Another disadvantage is if the hacker recognizes the script that handles the removal, they can disable/delete that one and take care of the other one.

I think that the only way possible is @W_intry’s way because it is very hard to breach, even though it is a bit complicated. This could only be possible if there was a way to access clients (like PlayerGui) from the server side. If that was possible, you could then program it so it runs from the server and if that script is disabled/deleted, it gets cloned. But sadly, that is not available to us.

I will have to go with @W_intry’s way because it is the only secure way to do it.

Most of the time that works, But Exploiters with past experiences can easily detect your script and disable it Completely. And by no means am i saying not to do local checks But also do server checks.

Like W_intry said, checking distance over time from the server is the ideal way to go about it. The integration of this is going to depend on the game in question.
I separate instantaneous speeds into three categories:

1. Speeds that are possible through normal play and without lag. No punishment.
2. Speeds that could arise through high ping, but are also unreasonably fast. Rubber-band the player back to their last observed position.
3. Speeds that wouldn’t be possible even with high ping. Kill the player.

I can’t think of any speeds that wouldn’t be possible with high enough ping, so you should probably always be rubber banding them.

Thanks for all the responses I actually went to sleep shortly after posting this so that’s how come it took me so long.

Yeah, that is why it is difficult to actually make a strong script. I just woke up today and I though of an idea that might work if you wanted to use local scripts. I haven’t tried it yet but I bet it could work. My idea was to have:

1. One Local Script that detects if Humanoid.WalkSpeed has been changed.
2. One Local Script that detects if script 1 has been disabled or deleted.
3. One Local Script that is a clone of script 2.

Also, script 2 and 3 will be responsible for each other, meaning that if script 2 gets disabled/deleted, script 3 will clone/enable it or will fire the server to kick the player. The same goes for script 2. If script 3 gets disabled/deleted, script 2 will clone/enable it or will fire the server to kick the player. This could work as both scripts can repair each other and even if a hacker used a for i, v in pairs(game.Players.LocalPlayer.PlayerGui:GetChildren()) do and deleted the scripts that way, once one would be deleted/disabled, the other one would fire immediately before it gets deleted/disabled and if it then got deleted, the one that was just cloned would clone it again. This could work as it is impossible for a hacker to delete two scripts at the same time (or at least that is what I think). If both scripts are not deleted at the same time, not a millisecond later, then it would work.

I can guess that this idea could be laggy and I have not tried it yet, but I do not think it can be as laggy unless someone makes it run. Actually, I do not think it will be laggy at all, or just a little lag. Also, script 2 and 3 both can clone script 1. This idea could work as it is pretty much a chain that if you break, it will repair itself. That is my idea that could work, and if a player is lagging, it would not falsely punish him/her.