69

Why is it not more common to implement anti-cheat on the server instead of the client? Is that not more secure? Couldn't the server just check what vision a player should have and not provide any other information to prevent wallhacks or maphacks? Or check how fast it is possible to move to prevent speedhacks? Aimbot is a bit harder to detect I guess but what about the other ones?

top 50 comments
sorted by: hot top controversial new old
[-] Endorkend@kbin.social 56 points 1 year ago

Doing anti cheat on the server can only check for symptoms of cheating.

Doing anti cheat on the client can check for tools, attack vectors and the actual method of cheating.

[-] LordOfTheChia@lemmy.world 11 points 1 year ago

Also, server side anti-cheat computation costs the gaming company money.

Though you'd think some forms of cheating would be computationally inexpensive to detect, like teleporting and such.

[-] redcalcium@lemmy.institute 37 points 1 year ago

Every time you double your servers' cpu usage, you'll double your server cost as well. If it were cheap I bet more companies would actually consider doing this.

The ultimate server-side anti cheat would be running the online game like Stadia where the players basically stream the game, which is very expensive to run today but might be the norm in the far future.

[-] Heavybell@lemmy.world 18 points 1 year ago

God what a dystopian future. But you may be right, even for single player games.

[-] EvolvedTurtle@lemmy.world 22 points 1 year ago

Anti cheat for single player games is a silly concept that game companies are way too eager for

[-] OrderedChaos@lemmy.world 6 points 1 year ago* (last edited 1 year ago)

Ah yes. So frustrating how Nintendo keeps patching all the fun hacks/glitches in tears of the kingdom.

[-] EvolvedTurtle@lemmy.world 3 points 1 year ago

I tried to set up Minecraft anti x-ray once And yeah it bogged down the server so hard

[-] SnotFlickerman@lemmy.blahaj.zone 33 points 1 year ago

Couldn’t the server just check what vision a player should have and not provide any other information to prevent wallhacks or maphacks?

Definitely not how that works. The server has no idea how to tell how the GPU on the client-side is rendering anything. The server is just doing server things, which definitely doesn't include data on the "vision" of each player. There's a lot less data being transferred than you assume here.

All of these are way easier to detect client-side, because client-side you can actually check the code that is running.

A server that checked all the code that is running would be a very, very slow game. Like imagine a chess game where it took five minutes for a move to register after making a move. Servers focus mostly on "player state" like, where are they, what direction are they looking, what direction are they moving, what buttons they are pressing, and a lot less on checking the code of the remote player. Once again, because checking literally every players code remotely would slow everything way the fuck down.

[-] JeffKerman1999@sopuli.xyz 13 points 1 year ago

I remember a long time ago it was on the server side that the hits were registered not on the client side. It had a funny feeling because you would have to shoot where the target was going towards instead of shooting where the target was. And that was done with 24 players in a server

[-] boletus@sh.itjust.works 5 points 1 year ago

This is still the case for most games. Games have just gotten better lag compensation methods.

[-] TootSweet@lemmy.world 23 points 1 year ago* (last edited 1 year ago)

A lot of people in this thread are probably going to explain to you all the reasons why it's necessary to do anti-cheat on the client.

And they'll be correct that it's not really reasonable to expect a system where data is sent to the client only when it's needed to render (in order to prevent things like x-ray vision and such) to be performant. (At least not in the most common and general case today, but more on that later in the comment here.)

All that said, I very much believe that a lot of folks don't suffifiently consider alternatives to client-side anti-cheating rootkits.

And this is all going to be a hot take, so strap in.

First off, an option that I've heard of is to require the client to send not just data like "my avatar moved to location X,Y,Z and has this velocity in this direction and etc etc etc" but also exact, specific keyboard and mouse inputs with timestamps. Then the server can a) validate that the given inputs at exactly the reported times produce the same location and velocity (this may involve running a copy of some portion of the client code on the server) and b) do better heuristic analysis on the inputs to detect things like aimbots more accurately. That would take more CPU on the server side, but it would go a long way toward making client-side anti-cheat rootkits less necessary.

But aside from that if a tabletop boardgame brought out the worst folks who played it and made it easy to cheat to the point that the game had a bad reputation, that would reflect poorly on the game designers' ability to create fun games with mechanics that ensure everyone has fun, right?

So I have to wonder when a video game has either rampant problems with cheating or a draconian rootkit to lock down the client's whole computer, how is it that people don't ever consider that the video game designers should have put more thought into how to change the mechanics, incentives, or other design aspects of the game to avoid those issues.

A quick anecdote. There's an open source Minecraft clone called "Minetest". A handful of years ago, the developers announced they were adding client-side scripting to it. A lot of the players lost their absolute shit. "How can you encourage cheating like this?" And the developers were like "a) there are already scriptable clients in the wild modified by third parties so us not adding this feature won't solve anything and b) things like x-ray vision are better solved on the server by, for instance, not telling the client which nodes are ore nodes until one face of the node is exposed - there's already server-side scripting that can be used to do that." Unfortunately the very vocal anti-client-scripting crowd won that argument just by being really loud and pitching hissy fits and the client-side scripting the developers added ended up pretty useless. (And keep in mind this even keeps single-player games from accessing the features offered by the client-side scripting effort.) And again, scriptable clients already existed in the wild.

Now, it's really hard to come up with game design principles that would deincentivise all cheating in all genres of games. But just a few ideas:

  • What if there was an FPS that just gave every player x-ray vision to level the playing field for everyone?
  • What if you made scripting the client to make grinding or aim bots a feature rather than trying to prevent that, but required that all bots play only on bot-allowed servers? Even if that couldn't be perfectly enforced, I'd guess it would reduce the incentive to try to play unfairly with client scripting. (Plus if there's a built-in client scripting system that reports what it's doing, or for some architectural reason has to report what it's doing to the server, it's probably going to deincentivise hacked clients.)
  • Not all game designs can get away with not sending data to the client until the client needs to render it to avoid x-ray hacks, but you could certainly design a (fun) game that did allow for some version of something close to that. A team v. team FPS game where the entire map is divided in half with a big opaque wall that disappears two minutes into the match whereafter basically has line of sight to everyone else for the rest of the match. You could not send player location data for the other team's players until the wall disappeared.
  • Make the games player vs NPCs rather than players vs players and predefine the NPCs' paths.
  • I mentioned the Minetest "don't tell the client which blocks are ore until a face is exposed" thing above.
  • Maybe player rating systems? To where if a player is obviously cheating, other players can give that player a 1-star review. Enough of those and they get put on the naughty players' server.

(I'd list some more ideas here but it's 2:00am and I really should sleep. Lol. Maybe I'll see if I can come up with more tomorrow.)

Aside from that, I'll say that, for all the talk about how server-side anti-cheat can't really work well, I'd have to submit that... client-side anti-cheat doesn't really work that well either. Folks regularly find ways around it. And there are companies out there that make anti-cheat software that have started to tip their hand about how much it doesn't/can't work by partially giving up on making bulletproof client-side anti-cheat that works (because that's not that feasible), but by bringing lawsuits against people who break their client-side anti-cheat. (It's the same trick they pulled with DRM, at least in the U.S.. It's not really possible to make DRM secure against the user who has physical access to the machine on which the DRM scheme is being executed, so instead of making DRM that works, they made laws to criminalize the breaking of DRM.)

All in all, I wouldn't personally play any game that required a rootkit. Don't care how fun it is. That's just straight up a deal breaker for me. It's my computer, dammit!

(And, even if the client-side anti-cheat wasn't a rootkit per se, I still wouldn't use anything required any client-side anti-cheat.)

[-] Kolanaki@yiffit.net 12 points 1 year ago

What if there was an FPS that just gave every player x-ray vision to level the playing field for everyone?

This actually exists. Blacklight Retribution. It kinda sucks.

[-] ZILtoid1991@kbin.social 3 points 1 year ago

It used to be cool, but then they added pay to win elements, because of course.

[-] Alto@kbin.social 3 points 1 year ago

I'll forever maintain it used to be one of the best f2p fps games in history. Yeah you had to grind a lot to get new stuff, but pretty much everything considered meta was unlocked pretty early. The wall hack mechanic was just so well done, especially combined with just how much you could tweak everything.

I miss it.

[-] FuglyDuck@lemmy.world 8 points 1 year ago* (last edited 1 year ago)

Maybe player rating systems? To where if a player is obviously cheating, other players can give that player a 1-star review. Enough of those and they get put on the naughty players' server.

Because that’s not incredibly easy to exploit. And even if it’s not intentionally malicious reporting… there’s idiots who seem to think them lossing means the other cheated.

I’m reminded of my time in WoW- vanilla wow when T-0.5 was still the best gear yiu could reasonably get. Any how this fully geared T0.5, l60 warrior tried to gank my greens-and-blues geared l58 mage.

He waited until I was drinking, for that free crit. I was OOM, cuz I was ape grinding mobs.

I killed him using r1 frost bolt, frost nova and my wand. (Warriors at the time had zero ability to reliably gap close against any kind of mage.). Eventually he tried to run. He got but hurt from all the frost bolts I rammed up his ass.

Decided there’s no way a level 58 should be able to kill a 60. Now. Here’s the thing I’m very much “red is dead” in games with pvp. So of course i camped his ass. One, it was basically free HKs, two, he tried to gank a lower level, three he tried to gank an OOm mage. And four? Did I mention the free HKs?

In any case of course I got reported for haxxors. GM was like “dude are you camping him” I’m like “he started it… he could always get a friend.”

(He did. An equally terrible hunter. It was almost adorable.)

[-] r00ty@kbin.life 5 points 1 year ago

Back in the day (CS1.5/CS1.6) there was a server addon called HLGuard. Where it did some basic checks to see if you should know about another player and not send info unless you need it.

But, it wasn't perfect, and you'd still get an advantage from wallhack and of course it cannot stop aimbot. You could perhaps "detect" likely aimbot though. But it did limit the power of wallhack.

I actually tested it (of course on my own server with a friend who knew I was doing it). What it seemed to do was make sure you only really saw a player when they were very close to a wall where they'd become visible. But of course, close up things like needed to hear audio cues meant you'd often see them through walls anyway.

Also I never measured it, but it must have taken a fair bit of CPU to make all these determinations for every player on every tick.

For modern MMOs etc, they are usually VERY client authoritative because they're handling thousands of players at once and really want to spend as little CPU time on each as possible. So, they will likely want anything they have to be client side.

[-] jet@hackertalks.com 14 points 1 year ago* (last edited 1 year ago)

It's an interesting problem. If you render everything server side and just deliver a video stream to the client, like a GeForce now only tournament. That eliminates a lot of cheating vectors.

The issue then becomes ensuring you have equal latency to all the players. So no one person has an advantage. But you could add artificial latency in that circumstance.

There's no getting away from the fact that in a distributed network, ordering of events and ensuring simultaneousness is difficult. Peakers advantage is a real thing.

Server side rendering and streaming, advantages: people only see what they're supposed to see, the server has perfect registration of all activity.

Disadvantages: more latency for everyone, AI auto aiming is still an issue. Requires excellent networking for everyone

[-] idunnololz@lemmy.world 2 points 1 year ago

One other downside. Server rendering is much more expensive.

[-] jet@hackertalks.com 0 points 1 year ago* (last edited 1 year ago)

Not really that expensive. With server rendering the GPUs can be constantly utilized for different clients or different activities. You only pay per minute of usage. GeForce now is I think $5 a month, which it's not much. If you pay AWS for their ephemeral tear, 5 to 10 cents per hour depending on the GPU you want.

When they're not being used for gaming, those GPUs could be used for AI training, model generation, a whole host of things. A GPU in your house probably isn't used 24/7, so that hardware is not being efficiently a moretized over a large scale of activity

[-] idunnololz@lemmy.world 1 points 1 year ago* (last edited 1 year ago)

Adding at least $5 a month to a game subscription is expensive considering a lot of them are 10-15$/mo. Note that this isn't just GPU expensive. You also need to calculate game logic on the server too which can also drive up CPU and ram expenses. This is not to mention that a lot of popular online games are freemium and will stand to lose a lot of players if they start charging a subscription.

Another way to word it is that the freemium model is incompatible with server side rendering.

[-] Nemo@midwest.social 12 points 1 year ago

Because the client side is the side where cheating happens.

[-] zephr_c@lemm.ee 8 points 1 year ago

Sure, but client side is also owned and run by the cheater. Do you really trust them to always run the anti-cheat honestly?

[-] Chozo@kbin.social 3 points 1 year ago

Anti-cheats are typically designed so that the user can't actually modify them at all. They install themselves deep into your system, sometimes literally in the form of a rootkit which basically runs parts of it completely invisibly from your OS, entirely.

[-] 520@kbin.social 6 points 1 year ago* (last edited 1 year ago)

Anti-cheats are typically designed so that the user can't actually modify them at all.

The problem is that these measures can be bypassed

https://guidedhacking.com/threads/how-to-bypass-anticheat-start-here-beginners-guide.9882/

[-] Lileath@lemmy.blahaj.zone 1 points 1 year ago

But it is complicated enough that most people don't bother with it.

[-] ekky@sopuli.xyz 4 points 1 year ago

So is cheating, yet we still have cheaters.

[-] Endorkend@kbin.social 1 points 1 year ago

The problem with the server only solution in that they can never detect the source of cheating, only the result of it.

And detecting the result is inaccurate as there are perfectly natural network latency and other issues that can generate the same result as a cheat, as that's actually how many cheats are discovered and implemented, by noticing that network latency or weird traffic creates an exploitable condition.

You need to run it on the client side to see if the natural circumstances are happening or someone is using tools to cause the circumstances. The first isn't cheating, the later is.

You can't detect from the server side what the client side is doing without running anticheat on the client side.

[-] zephr_c@lemm.ee 1 points 1 year ago

Of course, which is why all cheating has been eradicated forever. Certainly no game with a rootkit anti-cheat has ever had a problem with cheating.

load more comments (7 replies)
[-] Vlyn@lemmy.zip 8 points 1 year ago

They usually use both. Client side and server side detection together.

The problem isn't the check itself usually, but rather latency. If you shoot a player on your screen you want immediate feedback (client side), instead of waiting for a roundtrip to the server until the blood spatters.

There have been shooters where the server decides if a bullet lands. So on your screen you hit the player and then they suddenly survived. So most shooters switched to: If the client thinks it hit, it hit. Which does lead on the receiving end to running behind a wall and still dying. Overall it feels better than the alternative though.

The whole topic is pretty much game networking, it's a balance between doing it correctly (server side, slow) and faking to get it close enough (client side, immediate, easier to cheat, unfair if the player is laggy).

Of course there are some server checks that are always easy: For example if a player teleports or moves around the map faster than possible? You can flag them for review or if it happens too often kick/ban them. As long as you're super careful about automatic bans (bugs exist).

[-] RightHandOfIkaros@lemmy.world 4 points 1 year ago

Overall it feels better than the alternative though.

Client Side Prediction in combination with Server Authoritative Calculation should always be the correct option.

Basically, both the server and the client do the same calculation to see if a bullet hits. Then the server sees the client data and checks if it matches what the server calculated. If it does, then it ignores the client data and continues, otherwise it sends the correct data to overwrite the client. While the client waits for the server to check the data and send it back, it calculates the next frame based on previous server data such as previous enemy velocity, look angle, etc. The client is always slightly ahead of the server, but as long as the ping is low this isn't a problem (depends on network data bandwidth, but usually anything below 150ms ping is not really noticeable, as the ping from your eyes to your brain processing it, then reacting to what you saw is between 150ms-300ms.)

This feels bad for players with bad ping, but it doesn't have a negative effect on anyone else except cheaters that can no longer shoot you through walls or make impossible movements. And both of these are usually the fault of the client, as choosing a server with lower ping or simply not cheating will fix the problem immediately.

Client Authoritative Calculation, where the client tells the server the data to send other players, should never be used in a game where cheating would be a severe negative impact on the game, such as a PvP shooter.

[-] kewwwi@lemmy.world 3 points 1 year ago

there's both

[-] cyberpunk007@lemmy.ca 3 points 1 year ago

Server receives "1" for "hit registered" as sent by "client". As a client I can shove 1s all day long, how will it safeguard that?

[-] krimson@feddit.nl 6 points 1 year ago* (last edited 1 year ago)

Server determines hit received. Client only sends shot fired and direction and such. Server could also calculate if shot and direction make sense based on location, last shot fired, etc.

I’m a dev but not a game dev so I have no idea if this is doable or too much for the server to handle.

There probably is a reason anti cheat on the client is still needed. On the other hand, isn’t this mostly to prevent wallhacking and such? That’s probably the hardest cheat to detect server side if it’s even possible at all.

[-] Longpork_afficianado@lemmy.nz 3 points 1 year ago

Depends what you mean by wall hacking I guess. Shooting through a wall should not be possible by your proposed method, and it could be expanded to prevent the player moving through walls also.

Seeing through walls though is a different matter. How does the server know if I have rendered an opaque wall or not?

Personally I see anticheat as a problem to be solved socially, not technically. Just let people vote to kick, and anyone who is generally accepted to be hacking will be kicked. No need for invasive Spyware.

[-] xep@kbin.social 3 points 1 year ago* (last edited 1 year ago)

Just let people vote to kick

This system is easy to abuse, and historically when implemented will be abused.

[-] cyberpunk007@lemmy.ca 2 points 1 year ago

As far as I'm aware every action the client produces is reported to the server. If I push "w" the client tells the server "move forward X amount". So as far as I'm aware, make most sense to have anticheat on the client side.

load more comments
view more: next ›
this post was submitted on 30 Nov 2023
69 points (98.6% liked)

No Stupid Questions

35868 readers
267 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.



Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That's it.



Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.



Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.



Rule 8- All comments should try to stay relevant to their parent content.



Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- Majority of bots aren't allowed to participate here.



Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 1 year ago
MODERATORS