I’m trying to make my own game, and recently, I’ve stumbled across a very important topic: Securing your game from exploiters by doing Sanity Checks on the server.
And this raised a question: If a Sanity Check fail, should I do something about it or just ignore?
I’m not saying that about all sanity checks that can be made, because I know that in some cases, Sanity Checks can give false - positives. But I think that are some cases that if a sanity check fail, it would be impossible to give false positives, and in this case, should I do something about it?
For an example: I have a Sanity Check that checks if the value given by the client is not an NaN value, and if it is, I just return the function. But in this case, I don’t think that the player can pass a NaN value if not using exploits to send their own values.
Should I do something about it? Because I think that adding these type of things ( such as banning the player ) would be good to prevent it from trying to exploit in other areas of the game, but it would be less efficient to add ban statements every time that I know ( or atleast think ) that only an exploiter can send said values.
Also, if I manage to make my game secure enough, exploiters would play my game without interfering in other players gameplay, and in this case I would lost players by banning them.
Said that, what should I do about it? What are common practices that developers usually do to deal with situations like that? Is there any ocasion where I definitely should ban a player?
I wouldn’t use this a sufficient indicator that the player is exploiting, if the server receives a NaN value it could be due to a client sided bug that the player can’t control or unintentionally causes. If that’s the case, unless you keep track of bans with very specific reasons, it will be hard to revert them without unbanning correctly banned players.
Another example would be flinging, exploiters can fling other players high in the sky, if you implement a script that immediately bans that players due to their height, it would produce false positives. Not to mention, if the map fails to load and the player falls down into the void, it could be interpreted as no-clipping.
With that being said, do not rely on so sensitive checks to decide whether or not a player should be banned. If you really want to, you can kick them instead.
You should be cautios with automatic bans as your anticheat can produce false positives. You could automatically ban a player when you detect very evident and quick changes in data that can’t be altered by other clients.
But this applies to all cases? I know that when related to Physics it’s not the ideal, but let’s give an other example. Protecting your remotes. If from the Client I pass the Character of the player for whatever reason, and then I check on the server if the Character passed is the same as the Character of the player that fired said remote. Besides the character being nil, I don’t see why does this check can be false-positive if not by an exploiter trying to send bad data to the server. In this case should I do nothing?
I know that it would be better to just get the character from the server, and not rely on the one sent by the client, but this was just an example that I thought of right now.
Could work, but idk if it would work if the player knows when he’s going to be banned, in this case they could simply leave the game and rejoin in a new server. Ik that you could save how many warnings they have, but it’s dangerous if some false - positives happen in other sessions, and then he suddendly gets banned for nothing. I think I’ll stick with the solution that iKing gave, and probably some safe checks when the player joins, like seeing if the account is atleast 14 days old, smt like that.