For UT2004, you can ban by player GUID (a hash of the CD key) or IP. With the game abandoned by Epic, a number of key generators have cropped up, which makes GUID bans useless. IP bans only go so far with VPNs costing $2 these days.
The main solutions we have today are IP ban + VPN blocking using a database of known VPN subnets and adding them all to the firewall, and a similar fingerprinting technique which scans their folder structure of certain system folders.
It was made for Tremulous (ioquake3 fork) where people kept evading IP bans, but it can be used for any other games.
It is not my project, but I know the author, and I could personally fork it and make it suitable for specific (or any) games if there is demand for it.
You may also use heuristics, too, in schachtmeister2:
This still leaves you wide open to cheaters using mobile data tethering and proxies. Have you considered more advanced network analysis? It's one of the areas I have an interest in (professionally and personally) so if you want any suggestions let me know.
> This still leaves you wide open to cheaters using mobile data tethering and proxies
Is latency going to be good enough on mobile data (especially if they're also using proxies) for a FPS, though? Sure, they're using cheating software, but I wouldn't be surprised if the software gets the information it needs to cheat too late often enough for it to be useful.
I regularly played CSGO in Europe because the North American ranking system were screwed up.
I got to Supreme (2nd highest rank) with 150 ms ping. The people I queued with hit Global.
It's possible to play legitimately with very high ping. The higher ping put us at a disadvantage, but the skill gap between regions made it worth it to arbitrage.
NA is (or at least was when I played) the most populated and visible regional zone, and attracts a lot of players attempting various kinds of rank manipulation. On the one hand you have smurfing, which is the practice of a relatively high skill player using a an account with relatively low rank so that they can dominate lower ranked players. On the other side you have boosting, which is a relatively high skill player ranking up new accounts for later sale.
In practice this means at lower ranks, it was not at all uncommon to be matched with players with similar rank but vastly better skills.
This was my experience too years ago when I played CSGO. The difficulty at higher ranks (up to a certain point) felt significantly easier than the lower ranks. Getting out of the silver and gold ranks (can't remember the exact names) was a hellish grind with lots of matches that ended in one sided stomps with one or two guys on the other team racking up some insane k/d. Past that was smooth sailing for a long long way.
Yes the latency is not nearly as bad as you might think, it's comparable to a VPN in my experience, though the quality will depend on your location and the available connections.
Sophisticated cheats in games like CSGO (and other competitive shooters) are usually very subtle, such as displaying enemies on the mini-map when they shouldn't be visible which provides a major advantage without requiring superhuman input, and the added latency is often negligible—especially when the info can be relayed to teammates and now you essentially have the entire team cheating with only 1 player suffering from a bit of increased latency.
And I wouldn't say this is an edge case either as in my experience the majority of cheaters I encountered are individuals that play on an alt account and offer a service to guarantee wins in ranked games.
VPN or mobile IPs (blacklisted) must pay for a key ($20/year) that allows posting from blacklisted IPs. Key is good for posting from one blacklisted IP, locked for 30 minutes, so users cannot share keys. That way, you can ban the user by their key, if their IP is public.
It's not a perfect solution but it seems to be the best they've found for such a situation so far.
I mean, in this case it's 4chan so who cares, but I hope we are not very slowly moving towards a troubling world with lower classes of IPs and upper class IPs. IPs should be IPs should be IPs, it shouldn't matter whether it comes from an ISP, a mobile network, a VPN, or anything else, and we shouldn't attach some kind of IP caste to providers or countries. I think we really need Internet-wide IP randomization, where you can't just block a /24 or a /16 because they're in some icky ghetto. Yes, I know there is abuse, but if this is the alternative, it doesn't seem worth the cost in terms of innocent people losing access.
EDIT: Well, I guess the tribe has spoken. Pretty surprising. I think y'all are just assuming you'll always be the ones with the "good" IPs...
We are already there and have been for a long time. Geoblocking is very common for low-effort DRM and abuse mitigation, common VPN providers are easy to detect by IP but generally frustrate and/or ignore abuse reporting (until serious illegal activity is committed), college and other institutional networks are often no better than VPNs in this regard, etc. The Internet hasn't been able to operate as a network of peers at least since it was opened up to the public.
Yes, we have a whitelist ability also, but it is definitely a last resort. The game is mostly dead and difficult to discover for new players. We don't want that roadblock if we can avoid it.
Is this game online/multiplayer only? I mean, people still play Galaga and PacMan, and other older classic games so why would you think someone wouldn't still play this one too?
the cheats are software, software has certain quirks, like the way it aims or the way it tracks. And I'm willing to bet it has enough distinctiveness from human aiming to be classified. Couldn't a classifier work on the behavior of the cheating software itself, rather than use IP bans?
It's more effort than it's worth. There are server aimbot scanners which do something like this. There are also aimbots written to thwart this type of detection, adding delays, random drift, etc. It's a cat and mouse game. We don't have a lot of players left so it's not that much of an issue.
This is part of what Valve does in CS. It works pretty well but it does have false positives so it requires user intervention for confirmation of bans.
In order to actually catch a cheater mid-match rather than long after the match is already over, you'd need the servers that players are interacting through to have enough CPU grunt-force to do that kind of analysis "faster than realtime" — i.e. for the server's CPU to be able to run the game's physics faster than any client can, so it can run the physics with extra math in the same time it takes the clients to just run the physics.
Which might be something you could guarantee, if the game were locked to wimpy console hardware; or if the game had minimal CPU physics such that it was effectively never running CPU-bottlenecked and there were massive gaps in frame-time where even the client CPUs are sitting idle, that a server running in lockstep could cram that kind of analysis into.
But gaming is a race-to-the-top, hardware-wise. The CPU in a gaming rig might not have as many cores as your average server CPU, but it's almost certainly going to have higher single-core perf.
And part of the reason for that, is that games really do try to use your whole CPU (and GPU), with AAA studios especially being factories for constant innovation in new ways to make even the minimum requirements just to run a game's physics, higher and higher every year.
And if the server can't do "faster than realtime" analysis of the streams of inputs of the players, then by queuing theory, it'll inevitably get infinitely backlogged — the server will keep receiving new analysis work to do every timestep, and will fall further and further behind, never catching up until new work stops being generated — i.e. until the match is over. And then it'll have to probably sit there for five more minutes thinking really hard before spitting out a "hey, wait just a minute..." about any given match.
Which is fine if there's a big central lobby server that the game is forced to connect to, and your goal is to ensure that some central statistic that that central server relies upon (e.g. match-rank ELO) gets calculated correctly, such that cheaters are prevented from climbing the leaderboards / winning their way into high-ranked play. (And that's exactly the situation the big eSports games companies are in.)
But in the context of older games that use arbitrary hosted servers and random-pairing (or manual lobby-based match selection) — or in modern, but "dead", games, that only persist due to being modded to accept private servers — this "after-the-fact" punishment is useless, as most servers have no incentive to do this analysis, especially when cheaters can just hop around between servers. So there's nothing preventing people from being matched with cheaters, sometimes over and over again, if the cheaters can just tell their clients to roll up with a new key+IP for every match.
...and that's assuming there even are servers. You can forget about any of this working in a p2p context. (Think about what a Sybil attack means in the context of a federated set of individual tiny disconnected p2p networks.)
You should be able to limit analysis for this type of detection to only the input leading up to a kill/hit and ignoring everything else. The majority of the time players are not shooting could be used to do the analysis with plenty of time to boot midway in a round let alone a full game.
Also simple analysis of only the input streams as you stated really doesn't have to do with the phys rate of the game server and should be alot cheaper computationally. It can be offloaded to another process even if it was found to be too impactful to run alongside the game server directly. Something all those extra cores might be good for.
IP bans are fundementally flawed since you can't assume a static IP in the vast majority of cases anymore, if you rely on an IP blocklist then it's inevitable that you will end up hurting the experience of small amount of unlucky but innocent players. I suppose this might be more of an issue on ipv4 than it could be on ipv6, but really you should always expire IP bans to avoid issues like these, or you want to combine another data point with the IP such as a hardware ID (or a hash of a combination of hardware IDs). Cheaters do know this so even if we could assign everyone a static ipv6 they would likely just disable ipv6 support on their NIC and rely on their ipv4 exit ip.
Edit: If you don't think this is an issue I urge you to Google "pokemon go belgium ip ban" for a fun rabbit hole.
Where it gets interesting is when documentation uses a typoed reserved address (e.g. 189.51.100.1 or 198.15.100.1). There are actually several RFCs that do this.
Server side only anti-cheat is one of the problem domains that I'd really love to work on at some point in my career. This is the type of adversarial arms race that just seems really fun to think long and hard about.
Only problem is, a lot of companies do NOT want to pay for it. It's 'treadmill work'. No matter how many people and how much money you throw at the problem, it still ends up just coming back. It's a losing battle because there are many, many more players than there are developers.
> Only problem is, a lot of companies do NOT want to pay for it.
Because they're 10 years behind the curve and don't understand that a game's lifespan is contingent on anti-cheat. Once it becomes clear to the casual player that a hacker is going to effect every gaming session, the game dies quickly. Many games have gone so far as to obfuscate the presence of hackers so that players are less likely to notice them (CoD)! Other games build from the ground up with anti-cheat in mind (Valorant). Other games have an ID verified 3rd party system for competitive play (CSGO).
Personally, I think there is a middle ground between root level hardware access, and treating cheating as an afterthought. I'd lean more heavily on humans in the process... Use ML models to detect potential cheaters, and build a team of former play testers to investigate these accounts. There is zero reason a cheater should be in the top 100 accounts; An intern could investigate them in a single day! More low hanging fruit would be investigating new accounts that are over-performing. I'd also change the ToS so legal action could be persued for repeat offenders. Cheaters do real economic damage to a company, and forcing them to show up in small claims court would heavily de-incentivize ban evaders. This probably sounds expensive and overkill, but in the grand scheme of things it's cheap; it could be done on the headcount budget of 2-3 engineers. It'd also be a huge PR win for the game.
> Many games have gone so far as to obfuscate the presence of hackers so that players are less likely to notice them (CoD)!
How does CoD accomplish this, or other games that use similar strategies. I can't wrap my mind around how you could do this effectively while also not identifying hackers for the purpose of banning. Banning = Cheater buying another license to the game, I thought they like banning people for that reason :/
even though im not a cheater in games, i wouldnt play a game that threatened to take me to court if they deemed me to be one. interesting thought though.
1. Determine minimum human reaction times and limit movement to within those parameters on the client side. (For example a human can't swing their view around [in a fps] in a microsecond so make that impossible on the client) this will require a lot of user testing to get right, get pro players and push their limits.
2. Build a 'unified field theory' for your game world that is aware of the client side constraints as well as limits on character movement, reload times, bullet velocities, etc. Run this [much smaller than the real game] simulation on server.
3. Ban any user who sends input that violates physics.
Now cheating has to at look like high level play instead of someone flying around spinbotting everyone from across the map. Players hopefully don't get as frustrated when playing against cheaters as they assume they are just great players. Great players should be competitive against cheaters as well.
Cheaters who spin don't care if they get caught. Its the closet cheaters you can't catch like this who's aim bot only locks on the head of someone when the cross hair its a certain amount of pixels from the head, or they set it to never lock on the head.
The vast majority of cheaters are not "rage hacking", but instead using cheats as a skill assist.
Take a moment and think about how you would design cheats that would be undetectable. Hot keys, real time adjustments, all the options and parameters you could provide cheater to dial in their choice experience while also keeping them looking legit.
Then realize cheat developers thought of all that decades ago and it is waaayyyy beyond what you can dream up in a few minutes. Hell cheats nowadays even stop cheaters from inadvertently doing actions that would out them as cheaters.
You misidentify the core problem, or at least why it is a problem from a business perspective.
The problem isn't cheating itself, the problem is players feeling like they have been cheated (and thus not buying micro transactions in the future).
If you can limit player action to things that look plausibly human, less players will feel cheated and will be less likely to drop out.
This system would be put in place on top of existing systems and if implemented as I have described could be done so fairly cheaply from a operational perspective (getting it off the ground will require a good bit of dev time).
If you had ELO based matchmaking (that dropped matches where the player performed far below what they had previously done to prevent sandbagging) a cheater with "perfect play" would end up only playing against other cheaters after a time.
Playing against subtle cheaters is imo more rage inducing once you realize it's actually happening. New or poor players won't notice and won't call them out on it or participate in a votekick because they genuinely can't tell the player is cheating. Average to good players get tilted because they might have enough game knowledge to know something is off but not notice it every time or be able to call out exactly what's happening. They end up second guessing too much. And you can't improve and get better playing against subtle cheaters because they're going to be doing things you just can't. Great players can probably tell more often than not but they're going to quit in droves when they realize the playing field isn't fair. Subtle cheating is much more destructive to a games longevity because trust in public matches is heavily eroded over time. Rage hackers you can just kick/ban/leave the match yourself because it's obvious.
> Now cheating has to at look like high level play instead of someone flying around spinbotting everyone from across the map. Players hopefully don't get as frustrated when playing against cheaters as they assume they are just great players. Great players should be competitive against cheaters as well.
No, those are still just as vehemently hated as “closet cheaters”, for example the whole XIM / Cronus infestation on any game that has controller AA.
It’s still possible to, on average, spot if it’s a closet cheater or an actual good player due to things like movement and gamesense, but for the average player it will be much less obvious, leading to a huge amount of rage towards good players because they are by default suspected as “just another closet cheater.”
What are you referring to by "gamesense"? FWIW you can implement all sorts of movement hacks, from dodging bullet particles to appearing laggy enough to seem to be teleporting.
Gamesense: a mental model of the game by which players can anticipate and pre-empt the actions of other players.
A CS:GO player with good gamesense will habitually keep their crosshairs at head height and aim at corners where an enemy is likely to emerge. They'll have an intuitive sense of how long it takes to run from one point on the map to another. They'll listen through walls for footsteps to try and decode where the enemy are, where they're headed to and what strategy they might be about to attempt.
To the uninitiated, it looks a lot like cheating - you peek through a window and instantly get headshotted before you've had any chance to react. To the guy who hit you, it's just basic gamesense - you did a predictable thing and he punished you for it.
Yeah, it feels like a dead giveaway when someone at higher ranks has near perfect but within the realm of believable gameplay from a mechanical standpoint (great aim control/accuracy, hitting lots of flick shots) but then they're running all over like a headless chicken, getting lost on the map, have no regard for positioning and angles when pushing or defending, just purely leveraging "skill" alone.
This is a slippery slope which we can view in real-time looking at the speedrunning community. Many current real person runs are using strategies once thought to be computer-only. A Mario run from 2024 would be viewed as totally impossible in 2004.
This isn’t really a relevant concern for online games since speed running is mostly rehearsed play with predictable game mechanics, not inhuman response to novel stimulus.
There's also the multi-world randomiser community, where people network a bunch of emulators together, and finding an item in one game can actually unlock something else in another player's game.
This is kind of getting into my idea - Statistical methods & maybe a sprinkle of old-school machine learning.
What I would try is to hire a red team & blue team and put them in a sandbox environment. The red team cheats on purpose. The blue team is guaranteed to be playing legitimately. Both teams label their session data accurately. I then use this as training & eval set for a model that will be used on actual player inputs.
The only downside is that you will get a certain % of false positives, but the tradeoff is that there is literally nothing the cheaters can do to prevent detection unless they infiltrate your internal operations and obtain access to the data and/or methods.
Cheat development these days is incredibly sophisticated. There are swathes of tutorials, old and recent examples to research, advanced inspection tools, etc.
It's so much easier to make cheats today than it was, say, 10 years ago.
It's also easier because more and more games are sharing common infrastructure like game engines, as compared to the past. What works in one Unreal game may save you a lot of time developing a cheat for another Unreal game.
These days, many online games encounter serious cheats within the first couple of days of release - if not the day OF release.
Some of the sophistication is not really in the technical breaking of the game or protocol anymore, figuring out if something is plausible might yield detections that you cannot "cheat" because it no longer matters if your cursor clicked on a head at the right time or not, it matters if your posture/reputation/experience makes your behaviour plausible.
Cheating and anti-cheat used to rely a lot on the pure technical parts (like "is something sneaking some reads from the memory the game engine uses to clip models?"), which is ultimately not something you will win as a game developer (DMA/Hardware attacks or even just frame grabbing the eDP or LVDS signal and intercepting the USB HID traffic has been on the market for quite a while).
But implausible actions and results for a player can only be attributed to luck so many times. Do 30 360noscope flick headshots in a row on a brand new account and you can be pretty sure something is wrong.
If we can get plausibility vs. luck sorted out to a degree where the method of cheating no longer matters, that's when the tide turns. Works for pure bots as well. But it's difficult to do, and probably not something every developer is able/willing to develop or invest in.
It's hard to balance around those sorts of things. For example, imagine a cheat that gives the player additional info about where enemies are and their state (ie: health). Even if they are of totally normal skill level in terms of movement and aim, that info will allow them to be substantially better than others. How are you going to detect that, and differentiate it from players who simply have a great sense of map awareness and a good ability to keep track of enemies and when to punish them?
Anything that makes assumptions about player's skills runs into problems too. For any online PvP game, the skill ceiling will rise with time. What once may have been considered improbable may soon become what's consistent for the top 1% or even 0.1% of the playerbase given a few years.
As well, it can run into problems as rebalancing occurs and new abilities are released.
Even the base example would make that specific scenario trivial: an account that is new has no business "being better" than everyone else.
The only group you'd punish with that is skilled players that lose their account (and create a new one), but if you use a moving skill window they can grow back into their plausibility pretty quickly, and it's a small cost compared to everything else. And you could even mitigate that by making things like the first 10 matches require a different plausibility score than the matches after that.
And with different I don't mean "no scoring at all" or something like that. But a cheater tends to not cheat "a little bit". You might have togglers, but that sticks out like a sore thumb (people don't suddenly lose or gain skill like that). And even if that fails (lots of "cheating a little bit" for example), you've still managed to boot out the obvious persistent cheating.
And that's just with 1 example and 1 scenario. Granted, that bypasses the fact that it is still difficult and doing it broader than one example/scenario is even more difficult, but that's why I ended the previous comment pointing out the difficulty and associated cost, which goes hand in hand with the balancing difficulty you pointed out. Even tribunal-assisted methods (not sure if Riot games still does that) have the same problem.
What about new players who are competitive in other, similar titles, and thus start off with a strong advantage?
And - what about experienced players who cheat?
In some scenes, it's actually more often that cheaters are some of the best, most experienced players who have a strong competitive lean and feel they 'deserve' to win, so use cheats to get an edge. It's far more common than you'd think.
That's the problem with any anti-cheat system. It's all the what-ifs. Every single 'clever idea' that has been theorized under the sun has been tried and most have failed.
Those players would be initially quarantined either way and a sliding experience window would put a limit on what is plausible. Same goes for transferrable skills.
Experienced players who cheat will still be subject to plausibility. Say there is a normal amount of variance in humans but suddenly some player no longer has variance in their action. That's not plausible at all. Or a player looking at things they cannot see, that might sometimes be a coincidence, but that level of coincidence is not plausible to suddenly change a drastic amount.
Again, this sort of thing doesn't catch all subtle cheaters, but those are also not the biggest issue. It's the generic "runs into a room, beats everyone within 10ms", and "cannot see, but hits anyway all the time" type of cheat you'd want to capture automatically.
A what-if in a tournament or the top 1% of players is such a small set of players, you'd be able to do human observation. Even then someone could cheat, but you're so far outside of the realm of general cheating, I wonder if that's worth including in a system that's mostly beneficial inside the mass market gaming players.
Either way, this sort of detection is usually done in the financial and retail world, and results in highly acceptable rates and results. It's not perfect with a 100% success rate or something like that, but it's pretty successful. Just not something studios or publishers seem to want to invest in. It's much simpler to just buy or licence something (like Easy Anti-Cheat). Broad internal expertise isn't something the markets are rewarding at this point.
> Even the base example would make that specific scenario trivial: an account that is new has no business "being better" than everyone else.
You cannot and should not rely on that, depending on what account really means, e.g. in ioquake3 games, having a new GUID (you delete a specific file to get a new one) makes you a new player.
Sure, it would only work on games where the client and server both authenticate, otherwise none of this will work as there would be no reputation to be relied on.
Something I'm working on now. The real issue is that you get more perf hits trying to do all the important stuff server side, so devs have become lazy and offloaded more to the client than they should have, and then that became the standard. Moving all important actions server side isn't easy or cheap but it's how you prevent cheating much more holistically.
Now add in that I'm running a physics-heavy game with 120 tickrate, (considering higher after more tests), with fine motor control action combat, aimed to scale to mmorpg size, and it really becomes a challenge!
The state of the art is pretty boring and you can learn about user command payloads in an afternoon.
The world is much more complex now that YOLO-based aimbots exist, and I think the real answer is that anti-cheats are now defeatable, period.
You can craft a private binary that has no hash registered to any major anti-cheat service on the client-side, and on the server-side you’re limited to what is allowed by game rules.
Since there’s no mechanisms for preventing super human reflexes, and there probably shouldn’t be, it’s an issue that cannot be solved anymore.
So you need community judgement, and that too is boring. Good players being accused of cheating in Counter Strike is a years old and entertaining problem.
Probably refers to the YOLO family of object detection/classification models. Though I wasn't aware that they could be used for something like cheating in csgo. They are really fast compared to most AI models but I thought that it still wouldn't be fast enough to give you a real advantage (especially for pros), as cheats usually depend on "wall hacks" or similar, and being able to see more than what you could see on your screen.
This isn't about stopping cheaters (cheat detection). This is about stopping repeat cheaters trying to ban evade. Detecting cheats, especially nowadays with hardware cheats (DMA, etc), is an entirely different ballgame.
IMHO, one of the most effective way to stop ban evaders is to actually charge money for the game.
Why pay for the game when you can go to an onion site that will sell you hundreds of compromised accounts that own the game for a fraction of the price?
Charging money and banning at the payment provider level can be quite effective. It isn't a perfect answer but it cuts out gigantic chunks of the problem space.
I'll take a ~99% cheat-free experience over not having any improvement at all.
Agreed, but in this particular case the blog writer was running private servers, rather than being Valve. They had no control over payment processing etc.
That's fair. There will always be cheaters like this. However, anecdotally, after CS or any other game I've played that went free-to-play, cheaters became a much much larger problem: from seeing one every now and again, to at least one in nearly every match.
Banning by TPM also makes ban evasion pretty expensive. At which point the cheater has to either buy a new mobo or solder a new TPM chip onto their mobo (not always possible). Though I guess at some point a sloppy vendor will leak TPM keys and it'll be spoof-able.
> I only shared the solution and technique with one other server operator I fully trusted based in the UK
I think that was us! We ended up combining it with other fingerprinting indicators, but the whole 'use VGUI' was a surprisingly effective way at handling this. I believe they removed the web browser in ~2018, which was disappointing. Being able to have custom skill trees / fun integrations with servers was really powerful!
Excellent write up and solution. Cheating in video games makes for a wretched experience for those who don't cheat.
It's crazy how rampant cheating in multiplayer games, especially competitive ones has gotten. Ten years ago, I thought it was at an extreme, but it's only gone up since then.
Part of the problem is that for some software developers, writing cheats brings in a massive amount of money.
So instead of some teenager messing around making unsophisticated cheats, you have some devs that are far better at writing cheats than game developers are at preventing them.
It doesn't help that game devs have to secure everything, everywhere, but cheat devs only have to find a single flaw.
Which seem to be exclusively FPS games with ~10+M players ?
I don't even remember the last time when I've heard of a game outside that very narrow (albeit decently popular) category to have complaints about cheaters. Meanwhile for these games, I hear about it like every month, and all this despite this genre being amongst the ones that I play the least !
Well, it's just a genre that's immensely popular and easy to cheat in.
If you have access to the game's memory etc, it's pretty easy to create an aimbot or thing that lets you see thru walls et cetera.
How you gonna cheat in a moba? It's a strategy game, you need, like, cutting edge AI to beat the best humans at it. In fact OpenAI specifically worked on an AI to play Dota 2, it was that hard.
Cheating is commonplace in lots of games much smaller than that. Company of Heroes 2 (an RTS released in 2013) for example is pretty much ruined by map hackers.
I think that's a very naïve way of looking at game development. There are many reasons why games are exploitable besides lack of reasonable dev effort.
- Almost all games are going to use a licensed or shared game engine. That means the softwsre architecture is already known to skilled cheat developers with reverse engineering skills.
- Obfuscating the game will only go so far, as demonstrated by the mixed success of Denuvo DRM.
- The game will not be the most privileged process on the machine, while cheaters are glad to allow root/kernel access to cheats. More advanced cheaters can use PCIe devices to read game memory, defeating that mitigation.
- TPMs cannot be trusted to secure games, as they are exploitable.
- Implementing any of these mitigations will break the game on certain devices, leading to user frustration, reputation damage, and lost revenue base.
- And most damning, AI enabled cheats no longer need any internal access at all. They can simply monitor display output and automate user input to automate certain actions like perfect aim and perfect movement.
A couple of thoughts, but I largely agree with you.
> Obfuscating the game will only go so far, as demonstrated by the mixed success of Denuvo DRM.
Denuvo is for the most part DRM, rather than anticheat. It's goal is to stop people pirating the game during the launch window.
> The game will not be the most privileged process on the machine, while cheaters are glad to allow root/kernel access to cheats.
This ship has sailed. Modern Anticheat platforms are kernel level.
> TPMs cannot be trusted to secure games, as they are exploitable.
Disagree here - for the most part (XIM's being the notable exception) cheating is not a problem on console platforms.
> AI enabled cheats no longer need any internal access at all. They can simply monitor display output and automate user input to automate certain actions like perfect aim and perfect movement.
I don't think these are rampant, or even widespread yet. People joyfully claim that because cheats can be installed in hardware devices that there's no point in cheating, but the reality is the barrier to entry of these hyper advanced cheats _right now_ means that the mitigations that are currently in place are necessary and (somewhat) sufficient.
It's not AI enabled cheats that are the issue, it's DMA through things like PCIe devices disguised as regular hardware. Sophisticated cheats no longer run on the same computer as you're playing on. Google "pcie dma cheat" for a fun rabbit hole.
Right, but the barrier for entry for those cheats is huge - the sp605 board is $700, for example. There are cheaper ones, but you’re not going to have rampant cheating testing through games when you add hundreds in hardware to the requirements.
Antiecheats work in layers and are a game of cat and mouse. They can detect these things some times, and will ban them (and do hardware bans). The cheaters will rotate and move on, and the cycle continues. The goal of an effective anti cheat isn’t stop cheating, it’s be enough of a burden that your game isn’t ruined by cheaters, and not enough of a target to be fun for the cheat writers.
Because at the end of the day the game is running on the user's machine, a machine in which the user has full access to every part of the execution and the software developer does not. You can only get around that by streaming the game instead of running it on the client side and even then an aimbot or some type of automation would be possible nowadays.
> I think a better question here is: why is game code so exploitable?
The nature of FPS games means only environment integrity can stop cheating. It's not exploitable per se. Just the game skill can be done by a computer perfectly.
Conversely who knows how long it will take for AIs to play Hearthstone with never-before-seen-cards well.
- GOOD software are simple and easy to understand, which makes it EASY to cheat.
- BAD software are needlessly complex and finicky, so it's HARD to rig it for a cheat.
- Anti-cheats intentionally make software BAD and over-complicated, so cheaters would have hard time modifying it. But computers are brittle and also aren't smarter than humans so cheaters will eventually find a way.
- Security is completely irrelevant topic since game clients are "bought" and run on your hardware; Digital Restrictions Management built to work against you as user is anti-consumer, anti-right-to-repair, anti-human, super bad thing, and lots of efforts are made to keep PC away from it as much as practical.
It has nothing to do with laziness or cost. If anything it'll be the best programmed game that gets hacked fastest. And PS2 that gets emulated last.
Architecture can help up to a point but it can't stop everything - the usefulness of ESP can be reduced by not sending the client information it doesn't need to know, but that gets computationally expensive on the server, and culling information too aggressively can interfere with lag compensation. Perfect recoil compensation can be prevented by not replicating the servers RNG state on the client so it can't predict where the next bullet will go, which CS:GO started doing at some point. Aimbots though? Those are just automating an input the user could theoretically make legitimately, so you're pretty much stuck with statistical heuristics or client-side detection.
Priorities. Games need content and performance. Give game developers more budget, and they will work on making the game faster, fix game breaking bugs, and add content rather than make the game less exploitable.
And cheats do not always rely on exploitable bugs. A bot using screen capture and input device emulation works at the OS level and in other contexts (ex: accessibility), it would be a legitimate thing to do.
A very large amount of games that are released nowadays all use well known and well documented engines, that's what makes it a lot easier, there's an interview on YouTube with a company that develops cheats for multiple games that mention this here: https://youtu.be/zwruk-tLIOU?si=3O2jBKQneur-n3iS
Some games aren’t able to prevent cheating. The client has the data on where the enemies on their screen are. The cheat only needs to move the mouse and click on the enemies heads. Other games like MMORPGs involve the cheat just playing the game and farming on behalf of the player.
It just becomes a cat and mouse game where the anti cheat is trying to detect something hooking into the game process while the cheat tries to hide itself.
> MMORPGs involve the cheat just playing the game and farming on behalf of the player
From a player perspective that's not cheating, that's running a bot. It's automation of a routine grind - which is typically designed to make players hate it and spend money instead. Automating boring stuff is simply natural.
For pay-to-win games it's effectively a balancing system, a pushback against player-hostile mechanics. Not unlike an adblocker on the web.
That's strictly in context of MMORPG genre, of course.
I think GP's last line covers it. It's the same reason why DRM is ultimately ineffective, and why even companies that work hard and spend time and money to secure their infra still sometimes get popped: the game devs have to be perfect 100% of the time, but the cheaters only have to get lucky and find a flaw once.
When you have software running locally, you can arbitrarily modify how it runs.
Like an aimbot is a powerful cheat, and there's no amount of security that can prevent one from being used outside of an anticheat being able to look deep into what your system is doing, what it contains. The only way to prevent that kind of thing is to remove your control of your own computer.
And even then you could do aimbot with camera pointed on the screen and either faking a mouse or providing sensor sufficient data somehow to simulate movement... That is reach super human reaction times and accuracy...
How attached and how technical does it have to be to be "cyborg".
Me with a pen and paper exceeds many human capabilites.
Likewise with wearables like a smartwatch.
Does it have to be direct neural integration to be a cyborg? Definitely people with profound brain injuries have been enhanced to the ability to interact again.
Good question! IMHO, it's a spectrum, of course, not a binary concept.
But if we have to define a criteria... I guess, integrated just enough so it can't be trivially removed, making it more of a "body part" rather than a "tool".
Point is, it'll certainly spark a discussion and re-evaluation of what's "fair", potentially shifting the consensus from somewhere around the current "glasses are fair game, but a programmable mouse is not" to somewhere more accepting of differently-abed individuals.
> When you have software running locally, you can arbitrarily modify how it runs.
Well, you can on PC at least. Xbox and Playstation security has matured to the point that code modification in online games isn't really a thing anymore, the worst they have to deal with is controller macros most of the time.
The PS4 and PS5 have been jailbroken numerous times, but...
1) Their secure boot implementation has never been broken, which means you can't upgrade from an exploitable version N firmware to a non-exploitable version N+1 while persisting a backdoor like you could on older systems like the PS3. You're stuck at version N until another exploit is found.
2) They rotate the crypto keys used for online play with every new firmware so they can easily lock those old exploitable firmwares out of online play for good, even if they try to spoof their version number. There's no getting around not having the new keys.
Meanwhile the Xbox One took a decade to get even a limited jailbreak that allows arbitrary code execution inside the game sandbox, but can't escape the game sandbox to take over the kernel, and the Xbox Series systems have yet to be jailbroken at all on any firmware.
Hypothetically being able to break anything with physical access doesn't count for much in practice if the thing you want to physically attack is buried inside a <7nm silicon die, doesn't trust anything outside of itself, and has countermeasures against fault injection attacks. The Switch may well be the last big victory for console hackers, the writing has been on the wall for years now.
> The best part was that no one knew how we were able to do this and our admin team kept the implementation a top secret. We should have filed a patent!
I know you’re joking, but if you had filed a patent you would have had to reveal the trick, thus rendering it immediately useless.
Cheating in online games is a scourge and I really don't understand why people do it. It's one person selfishly getting a "win" at the expense of ~60 other people in that match having their time, pleasure, potentially money absolutely wasted.
I think even more infuriating than blatant hacking is this epidemic of "micro cheating" for lack of a better way to put it that I've seen prevalent in some games that just boost some stats or reactions by amounts large enough to help the cheater but low enough where new or inexperienced players have absolutely no way of telling if someone is cheating or genuinely good especially in games with high skill ceilings. At least when it's blatant you can leave without time wasted but when they're doing it subtly you end up getting tilted and spending the whole match with a bad taste in your mouth second guessing if someone is actually playing fair or not. Chivalry 2 is a really bad offender for this, once you notice it you can't unnotice it anymore, almost every match will have at least one guy with his swing/move speed adjusted by ~10% and in a game where swing manipulation is a legitimate mechanic it can be borderline impossible to catch someone out on it unless you're really paying attention.
Yeah I get that, I understand why cheat developers do what they do. It seems like there's a huge market and I find it hard to blame them trying to make a living- morality wise they're probably more worried about rent, bills, family than whether or not someone's game time is ruined. But it's only this way because so many people are willing enough to cheat that dropping money on it is fine for them. It's their psychology I don't really get. Even if they're doing it because they want the satisfaction of a "win", doesn't that victory feel hollow because it's something they paid money for? It's like the difference between a community valuing you enough to give you an award vs going down to the trophy shop and paying someone a make you your own trophy that doesn't really mean anything.
> If a player joins with a different Steam ID but with an IP address that is already banned, the system now re-bans them
This works great until you realize you're punishing innocent players because of CGNAT and IP addresses getting rotated. Cheaters usually know how to get their router to request a new IP address. That IP address then gets assigned to someone else later.
This scenario definitely did pop up and we would review it on a case by case basis to unban users or make exceptions. However, it was quite rare. Only a handful of reported instances over several months. If our servers were more popular we definitely would have run into it a lot more.
No, not specifically. That section is still written under the misconception that IPs are bound to households, or static networks like university networks. Instead they can swap at the very least country wide (or rather, however the provider manages the IP addresses it controls). Their mental model is just not how the internet works.
By using IP as the ban id they created a system that constantly and regularly banned completely innocent steam IDs, thinking they are somehow linked when a new steam id uses a banned IP, which is nonsense. They just did not notice because the banned gamers did not complain.
Being from country with lot of IPs for operators. I did some packet sniffing on DHCP broadcast traffic seen by my router(ISP should filter that...) and I saw at least 3 non-continuous public IP blocks... And that was just day or less of monitoring this traffic...
So if the same connection(plug in wall) can end up with IPs from different blocks, well, trying to do anything sensible with this is too complicated.
I always found it funny how ip bans seemed to be so popular despite being apparently completely ineffective until I realized this was mostly a US thing. In my country (2 of them that I've lived in, in fact) ISPs always assign the client a dynamic address from their very large pools every time I reconnect. This was as true back in the 28.8kb dial up days as it is in the 10gbit FTTH days we live in. Having a static IP address here has always been a service you have to pay for.
I remember this being hilarious when idiots would ip ban me back on the IRC days: "oh no, I have to press the reconnect button!"
>Now, in order for a player to appear to us as a "fresh player" they would need to change their Steam ID, IP address and Steam installation folder. As you can imagine, no one is going to do the latter.
Really? I would expect that a dedicated cheater would reinstall Windows (or reload from a snapshot) every time they are caught.
Seems like they were private servers. So they really need only hurdle enough to have cheaters go somewhere else. Not totally kill their ability to play. And well most people will move on. Only those who take it most personally start to spend lot of time.
I suppose different people are entitled to different opinions about fingerprinting, but I reckon it only takes working on a single project where this is a real issue for you to change your mind.
We do behavioural analysis on top of various fingerprinting for bot detection - some people are trying really hard to ruin the internet!
I suspect a sufficiently advanced server side behaviour analysis could do a pretty good job discovering cheaters.
Not at the expense of false positives, though. Sophisticated cheat developers and bot creators are skilled at exploiting that narrow margin of error where companies can't push detection further without compromising the experience for legitimate users and destroying their game or service.
I am surprised VGUI browser shares cookies across Steam accounts. When I log out of my Steam account, switch to another one, launch the same game, I would have expected an entirely different datastore to be used for the VGUI browser.
It was a security nightmare. Basically a half baked browser with a subset of the security considerations you'd expect from a browser.
Valve worked on it for a little while patching bugs as they popped up (notoriously slowly I might add). Then in August 2017, an exploit in which server operators could execute JavaScript on players that joined their servers started to spread and was maliciously abused by bad actors. For example, some server operators using their player bases residential IP addresses to sign up to gambling websites so they got kickbacks. Others simply tried to hijack Steam accounts or sell rare Steam virtual items on the Steam marketplace to themselves.
After Valve patched the above exploit, some smaller bugs popped up in the following weeks and 2 months later in October, Valve completely binned the VGUI browser in CSGO. They had enough! This broke a lot of plugins like IdentityLogger and music players that would play music in the background as you played the game. But at least the attack vector was removed.
Thinking about it, steam should force this on every game developer that has cheating problem (I am assuming mainly shooters), maybe implemented better fingerprinting way, giving developers options to hide cookies somewhere in folders of their choosing.
The problem is that once a technique like this becomes standardized the cheat software will know how to automatically disable it. Even in the article it points out that had the cheaters put in the work they could have edited a single text file to break the system, but they did not. If this solution had been implemented for all CS:GO players then it would have been defeated fairly quickly, but since it was just one set of servers those were easy enough for the cheaters to avoid.
That said, eyeballing the chart in the article you can see an enormous ban wave that happens when the system is turned on, but afterwards the total level of cheating quickly returns to roughly where it started. If there were long term impacts it was only in the reduction of staff hours needed to review game footage to determine if a player is cheating.
Risk there is that what ever id is generated tends to leak. So lot of cheaters will either tamper with it or circumvent it. So the game will continue and not actually be effective for very long.
Couldn’t you stop cheaters by just looking at how their telemetry metrics are different from the baseline? If you get to a point where the cheater has to cheat to only be as good as a median player in the lobby in order to evade detection, you’ve effectively neutered it.
Fraud prevention is listed as an example of a "legitimate interest."
So no, by my layman's interpretation, they would not have been bound by GDPR to notify the user of cookies or other fingerprinting used solely for anti-cheat. They'd run into trouble if they use that same ID for marketing/advertising without consent, though.
They're perhaps not required to gather explicit opt-in consent, but my understanding is that they'd be required to disclose what information they collect/store.
The same rules apply to the steam ID and IP address.
As far as I'm aware, you can get away with disclosing the fact that you are tracking "unique identifiers for the purpose of anti-cheating" in the terms and conditions, without explicitly explaining the technical details that it's a cookie.
Also, this is a server covering the Australia/New Zealand region, so it doesn't have to worry about GDPR compliance.
In general, hardware/GPU/MAC signature hash checks are the only consistent way to bind player account histories, and even then cheats will change their identity with new hardware on fake postal addresses. Best to add a few weeks delay with "reviewing" ban status to prevent them returning hardware to retailers. Each day randomly permute which hardware signature trips the auto-re-ban after a random number of minutes.
Cheaters ruin the fun for everyone including themselves. Admins need to provide a personal cost deterrent for problem users, and randomly hang the game for people using code mods.
Unless I misunderstood, I do not see how this would actually work in practice considering the client can be modified and I can send whatever I want to the server, i.e. spoofing.
Even the Webgl signature check is resilient, and is the new tracking cookie on many sites like YT etc. It is a robust unique property of a specific system, and GPU. Not just the serial number...
Indeed, duplicate salted-hash signatures on multiple active users mean shills, and immediate bans issued for both accounts tainted by the black list.
The trick is to randomize a mix of easy and difficult signature checks daily.
i.e. the exploit writers will have to spend time cleaning up bugs, redistributing the patches, and dealing with angry people that have a GPU that is on the blacklist for a game. The more hardware details collected, the more difficult it is to prevent tripping the admin alert.
This is already done by some studios... "Play Stupid Games, Win Stupid Prizes" as they say... =3
> User centric security cookies, used to detect authentication abuses and linked to the functionality explicitly requested by the user, for a limited persistent duration
I'm not a lawyer, but I think this actually has some interesting things to think about. Not all cookies require consent under the ePrivacy directive, there is an exception for cookies that are "strictly necessary for the delivery of a service requested by the user". I think that'd fit in this case, since providing a cheater free experience is part of the "service" the players are looking for. At the same time, the ePrivacy directive also mentions that the user should be provided with "clear and comprehensive information" about what is stored. Providing that would render the cookies useless.
I don't know how these would balance each other out legally, but it's fun to think about
No, that doesn't count. Companies have tried arguing that their ads' tracking cookies are strictly necessary otherwise they wouldn't be able to offer their services (ads pay the bills). And yet, they require consent.
Preventing cheaters is similar. And this is blatantly a tracking cookie.
You aren't considering that ad cookies/tracking are used to enable a service to someone else (ad buyers), while this anti-cheat tracking cookie is used to enable a service to the user themselves (a cheat-free gaming experience.) I think that may make the difference.
Also, all of this was in 2017. Anyone doing it in 2024 should indeed run it past a lawyer.
This community is Australian & New Zealand based, we had 0 European players or visitors. And as @unsnap_biceps this predated GDPR compliance.
You are right though that you wouldn't be able to do this in Europe today because asking for fingerprinting consent defeats the purpose because the hacker would likely quickly figure out what is happing and circumvent it.
For UT2004, you can ban by player GUID (a hash of the CD key) or IP. With the game abandoned by Epic, a number of key generators have cropped up, which makes GUID bans useless. IP bans only go so far with VPNs costing $2 these days.
The main solutions we have today are IP ban + VPN blocking using a database of known VPN subnets and adding them all to the firewall, and a similar fingerprinting technique which scans their folder structure of certain system folders.
> IP bans only go so far with VPNs costing $2 these days.
https://redman.xyz/doku.php/schachtmeister2 was made specifically against people using VPNs.
It was made for Tremulous (ioquake3 fork) where people kept evading IP bans, but it can be used for any other games.
It is not my project, but I know the author, and I could personally fork it and make it suitable for specific (or any) games if there is demand for it.
You may also use heuristics, too, in schachtmeister2:
Edit: I noticed that the git repository returns 502, contacted the maintainer.Who is gaming in a competitive game behind a VPN.. I suppose if its your only option, but I don't think this would be a great playing experience.
> Who is gaming in a competitive game behind a VPN..
Cheaters, which is why they’re getting banned in the first place
Wait, can you help maintain UT2004? Because I love that game.
I don't play online anymore because I get destroyed but it's still fun to pop in for a quick match against AI when I have 30 minutes to kill.
This still leaves you wide open to cheaters using mobile data tethering and proxies. Have you considered more advanced network analysis? It's one of the areas I have an interest in (professionally and personally) so if you want any suggestions let me know.
> This still leaves you wide open to cheaters using mobile data tethering and proxies
Is latency going to be good enough on mobile data (especially if they're also using proxies) for a FPS, though? Sure, they're using cheating software, but I wouldn't be surprised if the software gets the information it needs to cheat too late often enough for it to be useful.
Assuming obvious cheat, even 100ms or 200ms latency is unbeatable by a human. Especially since the cheat doesn't need time to aim.
Even for non-obvious use-cases, it's hard to beat the advantage provided by knowing the position of players.
On my own hotspot, I have less than 30ms of latency.
I regularly played CSGO in Europe because the North American ranking system were screwed up.
I got to Supreme (2nd highest rank) with 150 ms ping. The people I queued with hit Global.
It's possible to play legitimately with very high ping. The higher ping put us at a disadvantage, but the skill gap between regions made it worth it to arbitrage.
What was screwed up about the NA ranks?
NA is (or at least was when I played) the most populated and visible regional zone, and attracts a lot of players attempting various kinds of rank manipulation. On the one hand you have smurfing, which is the practice of a relatively high skill player using a an account with relatively low rank so that they can dominate lower ranked players. On the other side you have boosting, which is a relatively high skill player ranking up new accounts for later sale.
In practice this means at lower ranks, it was not at all uncommon to be matched with players with similar rank but vastly better skills.
This was my experience too years ago when I played CSGO. The difficulty at higher ranks (up to a certain point) felt significantly easier than the lower ranks. Getting out of the silver and gold ranks (can't remember the exact names) was a hellish grind with lots of matches that ended in one sided stomps with one or two guys on the other team racking up some insane k/d. Past that was smooth sailing for a long long way.
Yes the latency is not nearly as bad as you might think, it's comparable to a VPN in my experience, though the quality will depend on your location and the available connections.
Sophisticated cheats in games like CSGO (and other competitive shooters) are usually very subtle, such as displaying enemies on the mini-map when they shouldn't be visible which provides a major advantage without requiring superhuman input, and the added latency is often negligible—especially when the info can be relayed to teammates and now you essentially have the entire team cheating with only 1 player suffering from a bit of increased latency.
And I wouldn't say this is an edge case either as in my experience the majority of cheaters I encountered are individuals that play on an alt account and offer a service to guarantee wins in ranked games.
The tactic 4chan uses:
Regular IPs can post freely
VPN or mobile IPs (blacklisted) must pay for a key ($20/year) that allows posting from blacklisted IPs. Key is good for posting from one blacklisted IP, locked for 30 minutes, so users cannot share keys. That way, you can ban the user by their key, if their IP is public.
It's not a perfect solution but it seems to be the best they've found for such a situation so far.
I mean, in this case it's 4chan so who cares, but I hope we are not very slowly moving towards a troubling world with lower classes of IPs and upper class IPs. IPs should be IPs should be IPs, it shouldn't matter whether it comes from an ISP, a mobile network, a VPN, or anything else, and we shouldn't attach some kind of IP caste to providers or countries. I think we really need Internet-wide IP randomization, where you can't just block a /24 or a /16 because they're in some icky ghetto. Yes, I know there is abuse, but if this is the alternative, it doesn't seem worth the cost in terms of innocent people losing access.
EDIT: Well, I guess the tribe has spoken. Pretty surprising. I think y'all are just assuming you'll always be the ones with the "good" IPs...
We are already there and have been for a long time. Geoblocking is very common for low-effort DRM and abuse mitigation, common VPN providers are easy to detect by IP but generally frustrate and/or ignore abuse reporting (until serious illegal activity is committed), college and other institutional networks are often no better than VPNs in this regard, etc. The Internet hasn't been able to operate as a network of peers at least since it was opened up to the public.
How about just a whitelist? I can't imagine there are a ton of legit ut2k4 players left?
Yes, we have a whitelist ability also, but it is definitely a last resort. The game is mostly dead and difficult to discover for new players. We don't want that roadblock if we can avoid it.
TIL people still play UT2004.
I was going to mention how much I loved that game, until I realized I played UT99. Time sure does fly...
Is this game online/multiplayer only? I mean, people still play Galaga and PacMan, and other older classic games so why would you think someone wouldn't still play this one too?
Ut99 with the matrix mod was where it was at for LAN parties...
Do you happen to have a link for a good manual on "how does one get into the modern UT2k4 multiplayer"? I.e. must-have modlist, servers, etc.
Suggestion: Anybody can play against bot(s). Whitelist can interact with real players.
sorry for the not-so-smart question.
the cheats are software, software has certain quirks, like the way it aims or the way it tracks. And I'm willing to bet it has enough distinctiveness from human aiming to be classified. Couldn't a classifier work on the behavior of the cheating software itself, rather than use IP bans?
Some “aimbots” don't actually assist with the aiming, they just fire the trigger any time the user gets on target.
It's more effort than it's worth. There are server aimbot scanners which do something like this. There are also aimbots written to thwart this type of detection, adding delays, random drift, etc. It's a cat and mouse game. We don't have a lot of players left so it's not that much of an issue.
This is part of what Valve does in CS. It works pretty well but it does have false positives so it requires user intervention for confirmation of bans.
In order to actually catch a cheater mid-match rather than long after the match is already over, you'd need the servers that players are interacting through to have enough CPU grunt-force to do that kind of analysis "faster than realtime" — i.e. for the server's CPU to be able to run the game's physics faster than any client can, so it can run the physics with extra math in the same time it takes the clients to just run the physics.
Which might be something you could guarantee, if the game were locked to wimpy console hardware; or if the game had minimal CPU physics such that it was effectively never running CPU-bottlenecked and there were massive gaps in frame-time where even the client CPUs are sitting idle, that a server running in lockstep could cram that kind of analysis into.
But gaming is a race-to-the-top, hardware-wise. The CPU in a gaming rig might not have as many cores as your average server CPU, but it's almost certainly going to have higher single-core perf.
And part of the reason for that, is that games really do try to use your whole CPU (and GPU), with AAA studios especially being factories for constant innovation in new ways to make even the minimum requirements just to run a game's physics, higher and higher every year.
And if the server can't do "faster than realtime" analysis of the streams of inputs of the players, then by queuing theory, it'll inevitably get infinitely backlogged — the server will keep receiving new analysis work to do every timestep, and will fall further and further behind, never catching up until new work stops being generated — i.e. until the match is over. And then it'll have to probably sit there for five more minutes thinking really hard before spitting out a "hey, wait just a minute..." about any given match.
Which is fine if there's a big central lobby server that the game is forced to connect to, and your goal is to ensure that some central statistic that that central server relies upon (e.g. match-rank ELO) gets calculated correctly, such that cheaters are prevented from climbing the leaderboards / winning their way into high-ranked play. (And that's exactly the situation the big eSports games companies are in.)
But in the context of older games that use arbitrary hosted servers and random-pairing (or manual lobby-based match selection) — or in modern, but "dead", games, that only persist due to being modded to accept private servers — this "after-the-fact" punishment is useless, as most servers have no incentive to do this analysis, especially when cheaters can just hop around between servers. So there's nothing preventing people from being matched with cheaters, sometimes over and over again, if the cheaters can just tell their clients to roll up with a new key+IP for every match.
...and that's assuming there even are servers. You can forget about any of this working in a p2p context. (Think about what a Sybil attack means in the context of a federated set of individual tiny disconnected p2p networks.)
You should be able to limit analysis for this type of detection to only the input leading up to a kill/hit and ignoring everything else. The majority of the time players are not shooting could be used to do the analysis with plenty of time to boot midway in a round let alone a full game.
Also simple analysis of only the input streams as you stated really doesn't have to do with the phys rate of the game server and should be alot cheaper computationally. It can be offloaded to another process even if it was found to be too impactful to run alongside the game server directly. Something all those extra cores might be good for.
Cheats nowadays can and do
a) run on 2nd pc passively capturing the screen and commands to a fake mouse device plugged into both machines,
b) "humanise" the aim with ai models trained on professional players
c) add random variances within the limits of human reaction times
So it doesn't solve things, really it'd still be playing catchup.
CSGO doesn't do P2P matchmaking and Valve _are_ working on real-time heuristics based cheat detection to kick cheaters mid-match
Not to mention the most sophisticated cheats are now running on second computers
What about banning VPNs?
Just curious if IP bans work with IPv6 or if they are fundamentally incompatible?
IP bans are fundementally flawed since you can't assume a static IP in the vast majority of cases anymore, if you rely on an IP blocklist then it's inevitable that you will end up hurting the experience of small amount of unlucky but innocent players. I suppose this might be more of an issue on ipv4 than it could be on ipv6, but really you should always expire IP bans to avoid issues like these, or you want to combine another data point with the IP such as a hardware ID (or a hash of a combination of hardware IDs). Cheaters do know this so even if we could assign everyone a static ipv6 they would likely just disable ipv6 support on their NIC and rely on their ipv4 exit ip.
Edit: If you don't think this is an issue I urge you to Google "pokemon go belgium ip ban" for a fun rabbit hole.
Kudos to the author for using RFC5737[0] TEST-NET-2 address for:
> An example of an IPv4 IP address is 198.51.100.1.
[0] https://www.rfc-editor.org/rfc/rfc5737
I'm a big fan of using identifiers reserved for examples. I use TEST-NET-2 IP's and example.com all the time in my documentation!
[dead]
Where it gets interesting is when documentation uses a typoed reserved address (e.g. 189.51.100.1 or 198.15.100.1). There are actually several RFCs that do this.
[dead]
Server side only anti-cheat is one of the problem domains that I'd really love to work on at some point in my career. This is the type of adversarial arms race that just seems really fun to think long and hard about.
Only problem is, a lot of companies do NOT want to pay for it. It's 'treadmill work'. No matter how many people and how much money you throw at the problem, it still ends up just coming back. It's a losing battle because there are many, many more players than there are developers.
> Only problem is, a lot of companies do NOT want to pay for it.
Because they're 10 years behind the curve and don't understand that a game's lifespan is contingent on anti-cheat. Once it becomes clear to the casual player that a hacker is going to effect every gaming session, the game dies quickly. Many games have gone so far as to obfuscate the presence of hackers so that players are less likely to notice them (CoD)! Other games build from the ground up with anti-cheat in mind (Valorant). Other games have an ID verified 3rd party system for competitive play (CSGO).
Personally, I think there is a middle ground between root level hardware access, and treating cheating as an afterthought. I'd lean more heavily on humans in the process... Use ML models to detect potential cheaters, and build a team of former play testers to investigate these accounts. There is zero reason a cheater should be in the top 100 accounts; An intern could investigate them in a single day! More low hanging fruit would be investigating new accounts that are over-performing. I'd also change the ToS so legal action could be persued for repeat offenders. Cheaters do real economic damage to a company, and forcing them to show up in small claims court would heavily de-incentivize ban evaders. This probably sounds expensive and overkill, but in the grand scheme of things it's cheap; it could be done on the headcount budget of 2-3 engineers. It'd also be a huge PR win for the game.
> Many games have gone so far as to obfuscate the presence of hackers so that players are less likely to notice them (CoD)!
How does CoD accomplish this, or other games that use similar strategies. I can't wrap my mind around how you could do this effectively while also not identifying hackers for the purpose of banning. Banning = Cheater buying another license to the game, I thought they like banning people for that reason :/
even though im not a cheater in games, i wouldnt play a game that threatened to take me to court if they deemed me to be one. interesting thought though.
My idea:
1. Determine minimum human reaction times and limit movement to within those parameters on the client side. (For example a human can't swing their view around [in a fps] in a microsecond so make that impossible on the client) this will require a lot of user testing to get right, get pro players and push their limits.
2. Build a 'unified field theory' for your game world that is aware of the client side constraints as well as limits on character movement, reload times, bullet velocities, etc. Run this [much smaller than the real game] simulation on server.
3. Ban any user who sends input that violates physics.
Now cheating has to at look like high level play instead of someone flying around spinbotting everyone from across the map. Players hopefully don't get as frustrated when playing against cheaters as they assume they are just great players. Great players should be competitive against cheaters as well.
Cheaters who spin don't care if they get caught. Its the closet cheaters you can't catch like this who's aim bot only locks on the head of someone when the cross hair its a certain amount of pixels from the head, or they set it to never lock on the head.
The vast majority of cheaters are not "rage hacking", but instead using cheats as a skill assist.
Take a moment and think about how you would design cheats that would be undetectable. Hot keys, real time adjustments, all the options and parameters you could provide cheater to dial in their choice experience while also keeping them looking legit.
Then realize cheat developers thought of all that decades ago and it is waaayyyy beyond what you can dream up in a few minutes. Hell cheats nowadays even stop cheaters from inadvertently doing actions that would out them as cheaters.
You misidentify the core problem, or at least why it is a problem from a business perspective.
The problem isn't cheating itself, the problem is players feeling like they have been cheated (and thus not buying micro transactions in the future).
If you can limit player action to things that look plausibly human, less players will feel cheated and will be less likely to drop out.
This system would be put in place on top of existing systems and if implemented as I have described could be done so fairly cheaply from a operational perspective (getting it off the ground will require a good bit of dev time).
If you had ELO based matchmaking (that dropped matches where the player performed far below what they had previously done to prevent sandbagging) a cheater with "perfect play" would end up only playing against other cheaters after a time.
> skill assist
Yeah, most games have builtin aimbot, called "aim assist". I do not like it, in fact, I find it annoying as a player, too (I come from Quake 3).
Playing against subtle cheaters is imo more rage inducing once you realize it's actually happening. New or poor players won't notice and won't call them out on it or participate in a votekick because they genuinely can't tell the player is cheating. Average to good players get tilted because they might have enough game knowledge to know something is off but not notice it every time or be able to call out exactly what's happening. They end up second guessing too much. And you can't improve and get better playing against subtle cheaters because they're going to be doing things you just can't. Great players can probably tell more often than not but they're going to quit in droves when they realize the playing field isn't fair. Subtle cheating is much more destructive to a games longevity because trust in public matches is heavily eroded over time. Rage hackers you can just kick/ban/leave the match yourself because it's obvious.
> Now cheating has to at look like high level play instead of someone flying around spinbotting everyone from across the map. Players hopefully don't get as frustrated when playing against cheaters as they assume they are just great players. Great players should be competitive against cheaters as well.
No, those are still just as vehemently hated as “closet cheaters”, for example the whole XIM / Cronus infestation on any game that has controller AA.
It’s still possible to, on average, spot if it’s a closet cheater or an actual good player due to things like movement and gamesense, but for the average player it will be much less obvious, leading to a huge amount of rage towards good players because they are by default suspected as “just another closet cheater.”
What are you referring to by "gamesense"? FWIW you can implement all sorts of movement hacks, from dodging bullet particles to appearing laggy enough to seem to be teleporting.
Gamesense: a mental model of the game by which players can anticipate and pre-empt the actions of other players.
A CS:GO player with good gamesense will habitually keep their crosshairs at head height and aim at corners where an enemy is likely to emerge. They'll have an intuitive sense of how long it takes to run from one point on the map to another. They'll listen through walls for footsteps to try and decode where the enemy are, where they're headed to and what strategy they might be about to attempt.
To the uninitiated, it looks a lot like cheating - you peek through a window and instantly get headshotted before you've had any chance to react. To the guy who hit you, it's just basic gamesense - you did a predictable thing and he punished you for it.
Yeah, it feels like a dead giveaway when someone at higher ranks has near perfect but within the realm of believable gameplay from a mechanical standpoint (great aim control/accuracy, hitting lots of flick shots) but then they're running all over like a headless chicken, getting lost on the map, have no regard for positioning and angles when pushing or defending, just purely leveraging "skill" alone.
Thank you, that makes sense.
This is a slippery slope which we can view in real-time looking at the speedrunning community. Many current real person runs are using strategies once thought to be computer-only. A Mario run from 2024 would be viewed as totally impossible in 2004.
This isn’t really a relevant concern for online games since speed running is mostly rehearsed play with predictable game mechanics, not inhuman response to novel stimulus.
No one does multiplpayer speedruns.
Counter example: https://www.youtube.com/watch?v=8g_7Hx42P1Y
There's also the multi-world randomiser community, where people network a bunch of emulators together, and finding an item in one game can actually unlock something else in another player's game.
Of course a lot of people do them. They even do them with multiple teams in parallel, starting at the same time !
This is kind of getting into my idea - Statistical methods & maybe a sprinkle of old-school machine learning.
What I would try is to hire a red team & blue team and put them in a sandbox environment. The red team cheats on purpose. The blue team is guaranteed to be playing legitimately. Both teams label their session data accurately. I then use this as training & eval set for a model that will be used on actual player inputs.
The only downside is that you will get a certain % of false positives, but the tradeoff is that there is literally nothing the cheaters can do to prevent detection unless they infiltrate your internal operations and obtain access to the data and/or methods.
Are there more sophisticated cheat developers though?
Cheat development these days is incredibly sophisticated. There are swathes of tutorials, old and recent examples to research, advanced inspection tools, etc.
It's so much easier to make cheats today than it was, say, 10 years ago.
It's also easier because more and more games are sharing common infrastructure like game engines, as compared to the past. What works in one Unreal game may save you a lot of time developing a cheat for another Unreal game.
These days, many online games encounter serious cheats within the first couple of days of release - if not the day OF release.
Some of the sophistication is not really in the technical breaking of the game or protocol anymore, figuring out if something is plausible might yield detections that you cannot "cheat" because it no longer matters if your cursor clicked on a head at the right time or not, it matters if your posture/reputation/experience makes your behaviour plausible.
Cheating and anti-cheat used to rely a lot on the pure technical parts (like "is something sneaking some reads from the memory the game engine uses to clip models?"), which is ultimately not something you will win as a game developer (DMA/Hardware attacks or even just frame grabbing the eDP or LVDS signal and intercepting the USB HID traffic has been on the market for quite a while).
But implausible actions and results for a player can only be attributed to luck so many times. Do 30 360noscope flick headshots in a row on a brand new account and you can be pretty sure something is wrong.
If we can get plausibility vs. luck sorted out to a degree where the method of cheating no longer matters, that's when the tide turns. Works for pure bots as well. But it's difficult to do, and probably not something every developer is able/willing to develop or invest in.
It's hard to balance around those sorts of things. For example, imagine a cheat that gives the player additional info about where enemies are and their state (ie: health). Even if they are of totally normal skill level in terms of movement and aim, that info will allow them to be substantially better than others. How are you going to detect that, and differentiate it from players who simply have a great sense of map awareness and a good ability to keep track of enemies and when to punish them?
Anything that makes assumptions about player's skills runs into problems too. For any online PvP game, the skill ceiling will rise with time. What once may have been considered improbable may soon become what's consistent for the top 1% or even 0.1% of the playerbase given a few years.
As well, it can run into problems as rebalancing occurs and new abilities are released.
Even the base example would make that specific scenario trivial: an account that is new has no business "being better" than everyone else.
The only group you'd punish with that is skilled players that lose their account (and create a new one), but if you use a moving skill window they can grow back into their plausibility pretty quickly, and it's a small cost compared to everything else. And you could even mitigate that by making things like the first 10 matches require a different plausibility score than the matches after that.
And with different I don't mean "no scoring at all" or something like that. But a cheater tends to not cheat "a little bit". You might have togglers, but that sticks out like a sore thumb (people don't suddenly lose or gain skill like that). And even if that fails (lots of "cheating a little bit" for example), you've still managed to boot out the obvious persistent cheating.
And that's just with 1 example and 1 scenario. Granted, that bypasses the fact that it is still difficult and doing it broader than one example/scenario is even more difficult, but that's why I ended the previous comment pointing out the difficulty and associated cost, which goes hand in hand with the balancing difficulty you pointed out. Even tribunal-assisted methods (not sure if Riot games still does that) have the same problem.
What about new players who are competitive in other, similar titles, and thus start off with a strong advantage?
And - what about experienced players who cheat?
In some scenes, it's actually more often that cheaters are some of the best, most experienced players who have a strong competitive lean and feel they 'deserve' to win, so use cheats to get an edge. It's far more common than you'd think.
That's the problem with any anti-cheat system. It's all the what-ifs. Every single 'clever idea' that has been theorized under the sun has been tried and most have failed.
Those players would be initially quarantined either way and a sliding experience window would put a limit on what is plausible. Same goes for transferrable skills.
Experienced players who cheat will still be subject to plausibility. Say there is a normal amount of variance in humans but suddenly some player no longer has variance in their action. That's not plausible at all. Or a player looking at things they cannot see, that might sometimes be a coincidence, but that level of coincidence is not plausible to suddenly change a drastic amount.
Again, this sort of thing doesn't catch all subtle cheaters, but those are also not the biggest issue. It's the generic "runs into a room, beats everyone within 10ms", and "cannot see, but hits anyway all the time" type of cheat you'd want to capture automatically.
A what-if in a tournament or the top 1% of players is such a small set of players, you'd be able to do human observation. Even then someone could cheat, but you're so far outside of the realm of general cheating, I wonder if that's worth including in a system that's mostly beneficial inside the mass market gaming players.
Either way, this sort of detection is usually done in the financial and retail world, and results in highly acceptable rates and results. It's not perfect with a 100% success rate or something like that, but it's pretty successful. Just not something studios or publishers seem to want to invest in. It's much simpler to just buy or licence something (like Easy Anti-Cheat). Broad internal expertise isn't something the markets are rewarding at this point.
> Even the base example would make that specific scenario trivial: an account that is new has no business "being better" than everyone else.
You cannot and should not rely on that, depending on what account really means, e.g. in ioquake3 games, having a new GUID (you delete a specific file to get a new one) makes you a new player.
Sure, it would only work on games where the client and server both authenticate, otherwise none of this will work as there would be no reputation to be relied on.
I agree, just thought I would mention. :)
> A smurf is a player who creates another account to play against lower-ranked opponents in online games.
Happens in many games, including League of Legends on which people typically spend a lot of money.
It can happen in days sometimes.
0: https://www.ign.com/articles/final-fantasy-14s-latest-raid-s...
It's funny, with "sophisticated", I would have expected "so much harder".
But I guess the documentation and standardization are even more advanced ?
Something I'm working on now. The real issue is that you get more perf hits trying to do all the important stuff server side, so devs have become lazy and offloaded more to the client than they should have, and then that became the standard. Moving all important actions server side isn't easy or cheap but it's how you prevent cheating much more holistically.
Now add in that I'm running a physics-heavy game with 120 tickrate, (considering higher after more tests), with fine motor control action combat, aimed to scale to mmorpg size, and it really becomes a challenge!
The state of the art is pretty boring and you can learn about user command payloads in an afternoon.
The world is much more complex now that YOLO-based aimbots exist, and I think the real answer is that anti-cheats are now defeatable, period.
You can craft a private binary that has no hash registered to any major anti-cheat service on the client-side, and on the server-side you’re limited to what is allowed by game rules.
Since there’s no mechanisms for preventing super human reflexes, and there probably shouldn’t be, it’s an issue that cannot be solved anymore.
So you need community judgement, and that too is boring. Good players being accused of cheating in Counter Strike is a years old and entertaining problem.
> now that YOLO-based aimbots exist
the what ?!?
Probably refers to the YOLO family of object detection/classification models. Though I wasn't aware that they could be used for something like cheating in csgo. They are really fast compared to most AI models but I thought that it still wouldn't be fast enough to give you a real advantage (especially for pros), as cheats usually depend on "wall hacks" or similar, and being able to see more than what you could see on your screen.
This isn't about stopping cheaters (cheat detection). This is about stopping repeat cheaters trying to ban evade. Detecting cheats, especially nowadays with hardware cheats (DMA, etc), is an entirely different ballgame.
IMHO, one of the most effective way to stop ban evaders is to actually charge money for the game.
At the time of the events in the blog, CS:GO was NOT free, and yet there were still cheaters that apparently had access to 80+ accounts.
Why pay for the game when you can go to an onion site that will sell you hundreds of compromised accounts that own the game for a fraction of the price?
Charging money and banning at the payment provider level can be quite effective. It isn't a perfect answer but it cuts out gigantic chunks of the problem space.
I'll take a ~99% cheat-free experience over not having any improvement at all.
Agreed, but in this particular case the blog writer was running private servers, rather than being Valve. They had no control over payment processing etc.
That's fair. There will always be cheaters like this. However, anecdotally, after CS or any other game I've played that went free-to-play, cheaters became a much much larger problem: from seeing one every now and again, to at least one in nearly every match.
Banning by TPM also makes ban evasion pretty expensive. At which point the cheater has to either buy a new mobo or solder a new TPM chip onto their mobo (not always possible). Though I guess at some point a sloppy vendor will leak TPM keys and it'll be spoof-able.
If the website is down or slow and you want to read the article, here is a full page screenshot of the post: https://i.imgur.com/SPp6IHX.jpeg
Sorry :'( I didn't expect the post to get this much traffic.
> I only shared the solution and technique with one other server operator I fully trusted based in the UK
I think that was us! We ended up combining it with other fingerprinting indicators, but the whole 'use VGUI' was a surprisingly effective way at handling this. I believe they removed the web browser in ~2018, which was disappointing. Being able to have custom skill trees / fun integrations with servers was really powerful!
Excellent write up and solution. Cheating in video games makes for a wretched experience for those who don't cheat.
It's crazy how rampant cheating in multiplayer games, especially competitive ones has gotten. Ten years ago, I thought it was at an extreme, but it's only gone up since then.
Part of the problem is that for some software developers, writing cheats brings in a massive amount of money.
So instead of some teenager messing around making unsophisticated cheats, you have some devs that are far better at writing cheats than game developers are at preventing them.
It doesn't help that game devs have to secure everything, everywhere, but cheat devs only have to find a single flaw.
Some competitive multiplayer games.
Which seem to be exclusively FPS games with ~10+M players ?
I don't even remember the last time when I've heard of a game outside that very narrow (albeit decently popular) category to have complaints about cheaters. Meanwhile for these games, I hear about it like every month, and all this despite this genre being amongst the ones that I play the least !
Well, it's just a genre that's immensely popular and easy to cheat in.
If you have access to the game's memory etc, it's pretty easy to create an aimbot or thing that lets you see thru walls et cetera.
How you gonna cheat in a moba? It's a strategy game, you need, like, cutting edge AI to beat the best humans at it. In fact OpenAI specifically worked on an AI to play Dota 2, it was that hard.
Cheating is commonplace in lots of games much smaller than that. Company of Heroes 2 (an RTS released in 2013) for example is pretty much ruined by map hackers.
I think a better question here is: why is game code so exploitable?
A: laziness and cost. It just doesn’t matter the same way that baking code matters, I guess.
So they toss on some cheap anti cheat instead of architecting it safely (expensively.)
I think that's a very naïve way of looking at game development. There are many reasons why games are exploitable besides lack of reasonable dev effort.
- Almost all games are going to use a licensed or shared game engine. That means the softwsre architecture is already known to skilled cheat developers with reverse engineering skills.
- Obfuscating the game will only go so far, as demonstrated by the mixed success of Denuvo DRM.
- The game will not be the most privileged process on the machine, while cheaters are glad to allow root/kernel access to cheats. More advanced cheaters can use PCIe devices to read game memory, defeating that mitigation.
- TPMs cannot be trusted to secure games, as they are exploitable.
- Implementing any of these mitigations will break the game on certain devices, leading to user frustration, reputation damage, and lost revenue base.
- And most damning, AI enabled cheats no longer need any internal access at all. They can simply monitor display output and automate user input to automate certain actions like perfect aim and perfect movement.
A couple of thoughts, but I largely agree with you.
> Obfuscating the game will only go so far, as demonstrated by the mixed success of Denuvo DRM.
Denuvo is for the most part DRM, rather than anticheat. It's goal is to stop people pirating the game during the launch window.
> The game will not be the most privileged process on the machine, while cheaters are glad to allow root/kernel access to cheats.
This ship has sailed. Modern Anticheat platforms are kernel level.
> TPMs cannot be trusted to secure games, as they are exploitable.
Disagree here - for the most part (XIM's being the notable exception) cheating is not a problem on console platforms.
> AI enabled cheats no longer need any internal access at all. They can simply monitor display output and automate user input to automate certain actions like perfect aim and perfect movement.
I don't think these are rampant, or even widespread yet. People joyfully claim that because cheats can be installed in hardware devices that there's no point in cheating, but the reality is the barrier to entry of these hyper advanced cheats _right now_ means that the mitigations that are currently in place are necessary and (somewhat) sufficient.
It's not AI enabled cheats that are the issue, it's DMA through things like PCIe devices disguised as regular hardware. Sophisticated cheats no longer run on the same computer as you're playing on. Google "pcie dma cheat" for a fun rabbit hole.
Right, but the barrier for entry for those cheats is huge - the sp605 board is $700, for example. There are cheaper ones, but you’re not going to have rampant cheating testing through games when you add hundreds in hardware to the requirements.
Antiecheats work in layers and are a game of cat and mouse. They can detect these things some times, and will ban them (and do hardware bans). The cheaters will rotate and move on, and the cycle continues. The goal of an effective anti cheat isn’t stop cheating, it’s be enough of a burden that your game isn’t ruined by cheaters, and not enough of a target to be fun for the cheat writers.
> This ship has sailed. Modern Anticheat platforms are kernel level.
so you use a kernel level anti-anti-cheat
Because at the end of the day the game is running on the user's machine, a machine in which the user has full access to every part of the execution and the software developer does not. You can only get around that by streaming the game instead of running it on the client side and even then an aimbot or some type of automation would be possible nowadays.
> I think a better question here is: why is game code so exploitable?
The nature of FPS games means only environment integrity can stop cheating. It's not exploitable per se. Just the game skill can be done by a computer perfectly.
Conversely who knows how long it will take for AIs to play Hearthstone with never-before-seen-cards well.
Probably three years
Oh, that's an easy one.
- GOOD software are simple and easy to understand, which makes it EASY to cheat.
- BAD software are needlessly complex and finicky, so it's HARD to rig it for a cheat.
- Anti-cheats intentionally make software BAD and over-complicated, so cheaters would have hard time modifying it. But computers are brittle and also aren't smarter than humans so cheaters will eventually find a way.
- Security is completely irrelevant topic since game clients are "bought" and run on your hardware; Digital Restrictions Management built to work against you as user is anti-consumer, anti-right-to-repair, anti-human, super bad thing, and lots of efforts are made to keep PC away from it as much as practical.
It has nothing to do with laziness or cost. If anything it'll be the best programmed game that gets hacked fastest. And PS2 that gets emulated last.
Architecture can help up to a point but it can't stop everything - the usefulness of ESP can be reduced by not sending the client information it doesn't need to know, but that gets computationally expensive on the server, and culling information too aggressively can interfere with lag compensation. Perfect recoil compensation can be prevented by not replicating the servers RNG state on the client so it can't predict where the next bullet will go, which CS:GO started doing at some point. Aimbots though? Those are just automating an input the user could theoretically make legitimately, so you're pretty much stuck with statistical heuristics or client-side detection.
No kidding, implementing multiplayer as a VNC session on a controlled server is very expensive.
Priorities. Games need content and performance. Give game developers more budget, and they will work on making the game faster, fix game breaking bugs, and add content rather than make the game less exploitable.
And cheats do not always rely on exploitable bugs. A bot using screen capture and input device emulation works at the OS level and in other contexts (ex: accessibility), it would be a legitimate thing to do.
A very large amount of games that are released nowadays all use well known and well documented engines, that's what makes it a lot easier, there's an interview on YouTube with a company that develops cheats for multiple games that mention this here: https://youtu.be/zwruk-tLIOU?si=3O2jBKQneur-n3iS
It’s not that simple.
Some games aren’t able to prevent cheating. The client has the data on where the enemies on their screen are. The cheat only needs to move the mouse and click on the enemies heads. Other games like MMORPGs involve the cheat just playing the game and farming on behalf of the player.
It just becomes a cat and mouse game where the anti cheat is trying to detect something hooking into the game process while the cheat tries to hide itself.
> MMORPGs involve the cheat just playing the game and farming on behalf of the player
From a player perspective that's not cheating, that's running a bot. It's automation of a routine grind - which is typically designed to make players hate it and spend money instead. Automating boring stuff is simply natural.
For pay-to-win games it's effectively a balancing system, a pushback against player-hostile mechanics. Not unlike an adblocker on the web.
That's strictly in context of MMORPG genre, of course.
I think GP's last line covers it. It's the same reason why DRM is ultimately ineffective, and why even companies that work hard and spend time and money to secure their infra still sometimes get popped: the game devs have to be perfect 100% of the time, but the cheaters only have to get lucky and find a flaw once.
This isn't the better question.
When you have software running locally, you can arbitrarily modify how it runs.
Like an aimbot is a powerful cheat, and there's no amount of security that can prevent one from being used outside of an anticheat being able to look deep into what your system is doing, what it contains. The only way to prevent that kind of thing is to remove your control of your own computer.
And even then you could do aimbot with camera pointed on the screen and either faking a mouse or providing sensor sufficient data somehow to simulate movement... That is reach super human reaction times and accuracy...
I wish I'd live to see the time of true cyborgs who will exceed ordinary human capabilities in some regard.
How attached and how technical does it have to be to be "cyborg".
Me with a pen and paper exceeds many human capabilites.
Likewise with wearables like a smartwatch.
Does it have to be direct neural integration to be a cyborg? Definitely people with profound brain injuries have been enhanced to the ability to interact again.
Good question! IMHO, it's a spectrum, of course, not a binary concept.
But if we have to define a criteria... I guess, integrated just enough so it can't be trivially removed, making it more of a "body part" rather than a "tool".
Point is, it'll certainly spark a discussion and re-evaluation of what's "fair", potentially shifting the consensus from somewhere around the current "glasses are fair game, but a programmable mouse is not" to somewhere more accepting of differently-abed individuals.
> When you have software running locally, you can arbitrarily modify how it runs.
Well, you can on PC at least. Xbox and Playstation security has matured to the point that code modification in online games isn't really a thing anymore, the worst they have to deal with is controller macros most of the time.
Until they get jailbroken that is. There is no such as a perfectly secure platform in which the user has complete physical control over it.
The PS4 and PS5 have been jailbroken numerous times, but...
1) Their secure boot implementation has never been broken, which means you can't upgrade from an exploitable version N firmware to a non-exploitable version N+1 while persisting a backdoor like you could on older systems like the PS3. You're stuck at version N until another exploit is found.
2) They rotate the crypto keys used for online play with every new firmware so they can easily lock those old exploitable firmwares out of online play for good, even if they try to spoof their version number. There's no getting around not having the new keys.
Meanwhile the Xbox One took a decade to get even a limited jailbreak that allows arbitrary code execution inside the game sandbox, but can't escape the game sandbox to take over the kernel, and the Xbox Series systems have yet to be jailbroken at all on any firmware.
Hypothetically being able to break anything with physical access doesn't count for much in practice if the thing you want to physically attack is buried inside a <7nm silicon die, doesn't trust anything outside of itself, and has countermeasures against fault injection attacks. The Switch may well be the last big victory for console hackers, the writing has been on the wall for years now.
> The best part was that no one knew how we were able to do this and our admin team kept the implementation a top secret. We should have filed a patent!
I know you’re joking, but if you had filed a patent you would have had to reveal the trick, thus rendering it immediately useless.
Doesn’t detract at all from your post. Fun read.
https://archive.ph/xcad7
This link is 404ing for me. Anyone else?
seems like the whole site is 404'ing
Cheating in online games is a scourge and I really don't understand why people do it. It's one person selfishly getting a "win" at the expense of ~60 other people in that match having their time, pleasure, potentially money absolutely wasted.
I think even more infuriating than blatant hacking is this epidemic of "micro cheating" for lack of a better way to put it that I've seen prevalent in some games that just boost some stats or reactions by amounts large enough to help the cheater but low enough where new or inexperienced players have absolutely no way of telling if someone is cheating or genuinely good especially in games with high skill ceilings. At least when it's blatant you can leave without time wasted but when they're doing it subtly you end up getting tilted and spending the whole match with a bad taste in your mouth second guessing if someone is actually playing fair or not. Chivalry 2 is a really bad offender for this, once you notice it you can't unnotice it anymore, almost every match will have at least one guy with his swing/move speed adjusted by ~10% and in a game where swing manipulation is a legitimate mechanic it can be borderline impossible to catch someone out on it unless you're really paying attention.
Cheating is also big business. Players can pay big bucks to rent (!) a cheat.
IIRC there is an episode on darkness diaries podcast about this.
Yeah I get that, I understand why cheat developers do what they do. It seems like there's a huge market and I find it hard to blame them trying to make a living- morality wise they're probably more worried about rent, bills, family than whether or not someone's game time is ruined. But it's only this way because so many people are willing enough to cheat that dropping money on it is fine for them. It's their psychology I don't really get. Even if they're doing it because they want the satisfaction of a "win", doesn't that victory feel hollow because it's something they paid money for? It's like the difference between a community valuing you enough to give you an award vs going down to the trophy shop and paying someone a make you your own trophy that doesn't really mean anything.
[dead]
> If a player joins with a different Steam ID but with an IP address that is already banned, the system now re-bans them
This works great until you realize you're punishing innocent players because of CGNAT and IP addresses getting rotated. Cheaters usually know how to get their router to request a new IP address. That IP address then gets assigned to someone else later.
This scenario definitely did pop up and we would review it on a case by case basis to unban users or make exceptions. However, it was quite rare. Only a handful of reported instances over several months. If our servers were more popular we definitely would have run into it a lot more.
I would wager most people just move onto a different server - leaving you with useless/suppressed data on how many people this may have impacted.
You would need to ban random people and see how many of them report it to estimate the real amount of such errors.
They addressed this in the section entitled "Problematic cases of IP address fingerprinting"
No, not specifically. That section is still written under the misconception that IPs are bound to households, or static networks like university networks. Instead they can swap at the very least country wide (or rather, however the provider manages the IP addresses it controls). Their mental model is just not how the internet works.
By using IP as the ban id they created a system that constantly and regularly banned completely innocent steam IDs, thinking they are somehow linked when a new steam id uses a banned IP, which is nonsense. They just did not notice because the banned gamers did not complain.
Being from country with lot of IPs for operators. I did some packet sniffing on DHCP broadcast traffic seen by my router(ISP should filter that...) and I saw at least 3 non-continuous public IP blocks... And that was just day or less of monitoring this traffic...
So if the same connection(plug in wall) can end up with IPs from different blocks, well, trying to do anything sensible with this is too complicated.
I always found it funny how ip bans seemed to be so popular despite being apparently completely ineffective until I realized this was mostly a US thing. In my country (2 of them that I've lived in, in fact) ISPs always assign the client a dynamic address from their very large pools every time I reconnect. This was as true back in the 28.8kb dial up days as it is in the 10gbit FTTH days we live in. Having a static IP address here has always been a service you have to pay for.
I remember this being hilarious when idiots would ip ban me back on the IRC days: "oh no, I have to press the reconnect button!"
Is it ? I'm not in the US and I've always had a fixed IP.
Which seems to have been best practice for IPv4 and is still best practice with IPv6 :
https://www.ripe.net/publications/docs/ripe-690/#5--end-user...
That was addressed in the article.
Yeah, you would think they would rely on their secret cookie in that situation instead, to minimize false positives like that.
>Now, in order for a player to appear to us as a "fresh player" they would need to change their Steam ID, IP address and Steam installation folder. As you can imagine, no one is going to do the latter.
Really? I would expect that a dedicated cheater would reinstall Windows (or reload from a snapshot) every time they are caught.
Seems like they were private servers. So they really need only hurdle enough to have cheaters go somewhere else. Not totally kill their ability to play. And well most people will move on. Only those who take it most personally start to spend lot of time.
>We Outsmarted CSGO Cheaters by Exploiting the Client
Fixed
The game's the game.
I suppose different people are entitled to different opinions about fingerprinting, but I reckon it only takes working on a single project where this is a real issue for you to change your mind.
We do behavioural analysis on top of various fingerprinting for bot detection - some people are trying really hard to ruin the internet!
I suspect a sufficiently advanced server side behaviour analysis could do a pretty good job discovering cheaters.
Not at the expense of false positives, though. Sophisticated cheat developers and bot creators are skilled at exploiting that narrow margin of error where companies can't push detection further without compromising the experience for legitimate users and destroying their game or service.
I wonder what kind of theories these cheaters invented to explain how they were getting caught.
I am surprised VGUI browser shares cookies across Steam accounts. When I log out of my Steam account, switch to another one, launch the same game, I would have expected an entirely different datastore to be used for the VGUI browser.
It was a security nightmare. Basically a half baked browser with a subset of the security considerations you'd expect from a browser.
Valve worked on it for a little while patching bugs as they popped up (notoriously slowly I might add). Then in August 2017, an exploit in which server operators could execute JavaScript on players that joined their servers started to spread and was maliciously abused by bad actors. For example, some server operators using their player bases residential IP addresses to sign up to gambling websites so they got kickbacks. Others simply tried to hijack Steam accounts or sell rare Steam virtual items on the Steam marketplace to themselves.
After Valve patched the above exploit, some smaller bugs popped up in the following weeks and 2 months later in October, Valve completely binned the VGUI browser in CSGO. They had enough! This broke a lot of plugins like IdentityLogger and music players that would play music in the background as you played the game. But at least the attack vector was removed.
The VGUI browser was a security nightmare, which is why Valve eventually deleted it from Steam.
The VGUI browser also allowed servers to steal the steam session cookies. So not a very hardened implementation at all.
Thinking about it, steam should force this on every game developer that has cheating problem (I am assuming mainly shooters), maybe implemented better fingerprinting way, giving developers options to hide cookies somewhere in folders of their choosing.
The problem is that once a technique like this becomes standardized the cheat software will know how to automatically disable it. Even in the article it points out that had the cheaters put in the work they could have edited a single text file to break the system, but they did not. If this solution had been implemented for all CS:GO players then it would have been defeated fairly quickly, but since it was just one set of servers those were easy enough for the cheaters to avoid.
That said, eyeballing the chart in the article you can see an enormous ban wave that happens when the system is turned on, but afterwards the total level of cheating quickly returns to roughly where it started. If there were long term impacts it was only in the reduction of staff hours needed to review game footage to determine if a player is cheating.
Risk there is that what ever id is generated tends to leak. So lot of cheaters will either tamper with it or circumvent it. So the game will continue and not actually be effective for very long.
Couldn’t you stop cheaters by just looking at how their telemetry metrics are different from the baseline? If you get to a point where the cheater has to cheat to only be as good as a median player in the lobby in order to evade detection, you’ve effectively neutered it.
How would something like that work?
> Wonderful, we have found a way to silently persist a cookie for each player as they join the server.
This violates GDPR, no?
Edit: It sounds like this took place before GDPR was being enforced.
GDPR isn't a blanket ban on cookies. You don't require a cookie notice for strictly necessary cookies, which you have a "grounds of legitimate interest" for: https://commission.europa.eu/law/law-topic/data-protection/r...
Fraud prevention is listed as an example of a "legitimate interest."
So no, by my layman's interpretation, they would not have been bound by GDPR to notify the user of cookies or other fingerprinting used solely for anti-cheat. They'd run into trouble if they use that same ID for marketing/advertising without consent, though.
They're perhaps not required to gather explicit opt-in consent, but my understanding is that they'd be required to disclose what information they collect/store.
The same rules apply to the steam ID and IP address.
As far as I'm aware, you can get away with disclosing the fact that you are tracking "unique identifiers for the purpose of anti-cheating" in the terms and conditions, without explicitly explaining the technical details that it's a cookie.
Also, this is a server covering the Australia/New Zealand region, so it doesn't have to worry about GDPR compliance.
GDPR is toothless eurotrash.
I saw a consent form that had 72 optional, 21 “legitimate interest” cookies.
GFB
That means gdpr is working.
In general, hardware/GPU/MAC signature hash checks are the only consistent way to bind player account histories, and even then cheats will change their identity with new hardware on fake postal addresses. Best to add a few weeks delay with "reviewing" ban status to prevent them returning hardware to retailers. Each day randomly permute which hardware signature trips the auto-re-ban after a random number of minutes.
Cheaters ruin the fun for everyone including themselves. Admins need to provide a personal cost deterrent for problem users, and randomly hang the game for people using code mods.
Let the ban hammer fall =3
Unless I misunderstood, I do not see how this would actually work in practice considering the client can be modified and I can send whatever I want to the server, i.e. spoofing.
Even the Webgl signature check is resilient, and is the new tracking cookie on many sites like YT etc. It is a robust unique property of a specific system, and GPU. Not just the serial number...
Indeed, duplicate salted-hash signatures on multiple active users mean shills, and immediate bans issued for both accounts tainted by the black list.
The trick is to randomize a mix of easy and difficult signature checks daily.
i.e. the exploit writers will have to spend time cleaning up bugs, redistributing the patches, and dealing with angry people that have a GPU that is on the blacklist for a game. The more hardware details collected, the more difficult it is to prevent tripping the admin alert.
This is already done by some studios... "Play Stupid Games, Win Stupid Prizes" as they say... =3
Feels disgusting with the hidden fingerprinting but very technically impressive!
I hope they asked permissions for storing those cookies. Otherwise they're violating various EU laws.
Not every cookie requires consent.
https://commission.europa.eu/resources-partners/europa-web-g...
In this case, this one might fit:
> User centric security cookies, used to detect authentication abuses and linked to the functionality explicitly requested by the user, for a limited persistent duration
It's clearly a tracking cookie.
> for a limited persistent duration
FTA:
> However, the VGUI browser had no issues saving cookies with expiry dates exceeding 10+ years!
So no, it doesn't even qualify.
I'm not a lawyer, but I think this actually has some interesting things to think about. Not all cookies require consent under the ePrivacy directive, there is an exception for cookies that are "strictly necessary for the delivery of a service requested by the user". I think that'd fit in this case, since providing a cheater free experience is part of the "service" the players are looking for. At the same time, the ePrivacy directive also mentions that the user should be provided with "clear and comprehensive information" about what is stored. Providing that would render the cookies useless.
I don't know how these would balance each other out legally, but it's fun to think about
No, that doesn't count. Companies have tried arguing that their ads' tracking cookies are strictly necessary otherwise they wouldn't be able to offer their services (ads pay the bills). And yet, they require consent.
Preventing cheaters is similar. And this is blatantly a tracking cookie.
You aren't considering that ad cookies/tracking are used to enable a service to someone else (ad buyers), while this anti-cheat tracking cookie is used to enable a service to the user themselves (a cheat-free gaming experience.) I think that may make the difference.
Also, all of this was in 2017. Anyone doing it in 2024 should indeed run it past a lawyer.
Great point!
This community is Australian & New Zealand based, we had 0 European players or visitors. And as @unsnap_biceps this predated GDPR compliance.
You are right though that you wouldn't be able to do this in Europe today because asking for fingerprinting consent defeats the purpose because the hacker would likely quickly figure out what is happing and circumvent it.
GDPR didn't take effect until May 2018, this only worked until October 2017.
GDPR is about the processing of personal data. Cookies (and such) are subject to 2002's ePrivacy directive
LOL