Some time ago II have discovered that Roblox servers are used to perform DDoS attacks on certain websites. Noticed it because my server got thousand of requests from Roblox itself. People use bots to make a lot of accounts to upload a game with script which spams certain website. They keep empty server up by using join request payload.
It should probably be investigated since it’s a major abuse of Roblox http requests resources and probably violates law using Roblox’s IP addresses.
(Sorry for posting it in #platform-feedback:engine-bugs if it’s unproper place. Couldn’t find better one though.)
I believe someone did a similar attack like this before and its nothing unique. If anyone is experiencing this, best thing that you can do is just block IPs that send the “Roblox-Id” header or if you have Cloudflare, just turn on “Under attack mode”
The real issue is that when Roblox creates a server, it doesnt wait for a player to connect before allowing HTTP requests to be sent. Since it’s just a simple request to Roblox to request a server to be created, It’s easily abusable.
It’s a major abuse of Roblox’s resources which doesn’t seem to be legal at all. Even if it waits for a connection, people may still use bots to connect.
The project seems to be prototype. Imagine what happens if it becomes larger. It could easily take gov site down probably in that phase.
Sure I can, but non-Roblox websites won’t even know how Roblox’s requests work.
This type of thing has been around for ages (Summer 2018). It looks like their whole system is not even efficent at all, they update the place EVERYTIME they want to “attack” some where else. I’m sure Roblox is aware and are working on a fix. I’m not trying to downplay the issue though, I’m just providing my thoughts and what information I know about it.
This is definitely an issue, but I’m not really sure what Roblox can do about it. For all they know, you could legitimately want to send that many requests to your own server. The legal route is probably your best option here.
As a side note, you might want to blur out the name of the site that they’re DDOSing, as this is a public section and that site breaks TOS (Robux giveaways).
DDoSing is actually heavily illegal in the United States, which is where Roblox is based. In the US, someone that does a DDoS attack can face up to ten years in prison and/or up to $500,000 USD in fines for violating the Federal Computer Fraud and Abuse Act.
I wouldn’t agree about your words. They don’t have to update the place everytime they want to attack. The attacked URL changes every some time and last update date is .
I haven’t seen this kind of attack before. Kind of surprising roblox servers can be kept alive long enough with just a join request.
Anyhow, I guess mitigating it should be as simple as creating a firewall rule which rejects all requests from RobloxGameCloud user agent in your cloudflare settings (unless your roblox game relies on making requests to your website).
)
.