What are some really good effective was of keeping hackers from ruining the game?
by Aaron Maldonado · in Torque 3D Beginner · 09/12/2013 (4:33 am) · 12 replies
When I done with the game I making I do not want hackers to be continuously harrassing players and ruining the game for people. Mainly the type of hackers that I worried about are the ones that try to steal accounts, track ip address, hack into game database, pirate game currency, and use means to gain unfair advantage over other players in general, incur disruptive errors in the game. I mean that basically the most of what hackers do. I had a few ideas of how to protect against hackers of certain kinds:
1. Only allowing people 18+ into game that have credit card then trying requiring everyone to show webcam proof who they are. This actually seems like it could work but would severly comprise sales.
2. Knowing the maxium potential that any character can techniqually reach, and if it gets exceeded then an investgation is done on that character.
3. Very good report system
4. Focusing on trying to constantly bring out better nature of everyone who joins game and making it so as any player would feel too guilty or horrible about doing something like that.
Idk. I have lots of ideas, but those were some of the major ones. What other ideas might there be?
1. Only allowing people 18+ into game that have credit card then trying requiring everyone to show webcam proof who they are. This actually seems like it could work but would severly comprise sales.
2. Knowing the maxium potential that any character can techniqually reach, and if it gets exceeded then an investgation is done on that character.
3. Very good report system
4. Focusing on trying to constantly bring out better nature of everyone who joins game and making it so as any player would feel too guilty or horrible about doing something like that.
Idk. I have lots of ideas, but those were some of the major ones. What other ideas might there be?
About the author
Recent Threads
#2
Okay. Excuse me if I sound like I really do not know what I talking about and that idea sounded ludicious(as you pointed). I am not a completely fresh newbie at game design either though. I designed own game before in past. I see you point with that. Kinda had a bad feeling about that idea. Ya know it might give game bad reputation.
"4. This is what Riot games are doing with League Of Legends, as a matter of fact they hired a bunch of psychologists to examine the human mind and how to manipulate players to behave nicer."
I did like this idea. I am sure it would probably take a lot of planning though as to figure out how going about it.
09/12/2013 (5:27 am)
"1. No.. Just no you don't want to demand people to take a photo of themselves to register for your game, I get the idea behind it... But no.."Okay. Excuse me if I sound like I really do not know what I talking about and that idea sounded ludicious(as you pointed). I am not a completely fresh newbie at game design either though. I designed own game before in past. I see you point with that. Kinda had a bad feeling about that idea. Ya know it might give game bad reputation.
"4. This is what Riot games are doing with League Of Legends, as a matter of fact they hired a bunch of psychologists to examine the human mind and how to manipulate players to behave nicer."
I did like this idea. I am sure it would probably take a lot of planning though as to figure out how going about it.
#3
I know people say the LoL community is quite toxic, but believe me it is nothing near to what it was in Season 1 / 2.
There is a lot to learn from the LoL initiatives.
09/12/2013 (6:11 am)
You should have a look at their honor system, that have been improving the player behaviour a lot (if you are a nice player, other players get to honor you, and if you get enough honor points, then you will get a nice banner)I know people say the LoL community is quite toxic, but believe me it is nothing near to what it was in Season 1 / 2.
There is a lot to learn from the LoL initiatives.
#4
09/12/2013 (6:39 am)
Documentation, specifically the Reference Guide tab in the left column, find Modules -> Networking and read it. 
#5
Implement a strong encryption method such as AES-256-CBC, RSA-1024 (or higher), Triple DES, ect.
By securing the data transmissions between your database and your game client with high level encryption, you can effectively nail the coffin closed to a majority of hackers, with the exception of ones with high computing power, but at that point, they'd be spending more money to get the hardware than the return they'd make.
I have a few forum posts, blogs, and resources available for reading on how to install a few good cryptography libraries into Torque 3D, and even provide a functioning account system that uses two of the mentioned crypto. schemes above.
09/12/2013 (11:25 am)
One word: Encryption.Implement a strong encryption method such as AES-256-CBC, RSA-1024 (or higher), Triple DES, ect.
By securing the data transmissions between your database and your game client with high level encryption, you can effectively nail the coffin closed to a majority of hackers, with the exception of ones with high computing power, but at that point, they'd be spending more money to get the hardware than the return they'd make.
I have a few forum posts, blogs, and resources available for reading on how to install a few good cryptography libraries into Torque 3D, and even provide a functioning account system that uses two of the mentioned crypto. schemes above.
#6
What does this have to do with black hat hackers? A positive culture will help weed them out. A negative one will be a cesspool attracting them.
For hacking defenses:
If your game gets big you will always have some type of hacker. With a good culture it will help keep your game looking good to the average user, and help weed the trash out. I don't know if there is really any way to definitively determine if a hack is occurring. You might check game development articles to see how the big guys deal with this. I would imagine web hosting and web designers have some good knowledge on this.
09/12/2013 (11:51 am)
The way people treat each other is a cultural thing. If you want a better class of people then create a positive supportive culture. - Don't EVER be defensive about your ego or your game. This will make an extremely negative atmosphere if you attack customers. People will take revenge.
- Be very clear on the terms of use of your website and game communication channels. Police the hell out of it to make sure ppl are not being abused.
- Enlist beta testers to police the forums, the channels, etc. Give them free copies of the game as a thank you. Consider even giving kickbacks to these folks. They will be the ones getting the most hate for policing the channels.
- Design filters to filter out phrases and words that are offensive. There is already some bad word filtering in T3D. This just helps with keeping the culture positive.
- Create an atmosphere that rewards consistency rather than x achievement. Someone hacking the system will not be able to be consistent, but they can get x achievement. So a mix might help.
What does this have to do with black hat hackers? A positive culture will help weed them out. A negative one will be a cesspool attracting them.
For hacking defenses:
- Pay an experienced security specialist to attack your site, game, and databases before release. This may be a former black hat hacker.
- Work with your website provider on ways to prevent attacks and security measures to take.
If your game gets big you will always have some type of hacker. With a good culture it will help keep your game looking good to the average user, and help weed the trash out. I don't know if there is really any way to definitively determine if a hack is occurring. You might check game development articles to see how the big guys deal with this. I would imagine web hosting and web designers have some good knowledge on this.
#7
The client should never talk to your database in the first place.
09/12/2013 (4:46 pm)
I don't know about LoL. I think it's a lot worse now than the previous seasons.Quote:
By securing the data transmissions between your database and your game client
The client should never talk to your database in the first place.
#8
@Stefan: Well you can kiss ALL efficient R-P progression systems goodbye with that ideology.
In terms of blocking hackers from getting into your game, encryption generally works for keeping the important stuff handled, you obviously do NOT want to make the mistake that activision and their relative studios have made for the past 6 - 8 years with CoD leaving their key progression systems in plaintext and plain numerical format. Doing so just leaves the door open to this. Sure they can back up their claims of "oh, we can just ban them", but honestly, what more are they doing than exposing even more of their systems to potential hacking and bypassing. I'm sure a majority of you are aware that M$'s console banning system has pretty much become irrelevant to most JTAG modders because they have exposed it to too many users and bypasses and complete disabling of the systems were devised. So in terms of looking to the "big guys" for example, they honestly are using outdated and obsolete practices that will pretty much be all but rendered useless in the near term.
To protect your game, you want to secure the most important parts of the game (IE: Monetary, Progression, Stats) with some form of encryption. You really aren't using that much more space than you would be without it in place. Obviously some of the more necessary components of the game (player movement, behaviors, ect) are unfortunately exposed to generalized hacks such as speed hacking and aimbots, but those can easily be averted as well.
T3D handles the speed hackers quite well with it's internal pack/unpack networking system, you can't modify a datablock's fields in game without re-transmitting it to all of the clients, so a hacker's "self" tool would actually work for all players which honestly gives them no added benefit.
In terms of aimbots, these would require a little more C++ trickery, but you can add random sway to targeting systems using a UTC time for a seed, so unless the hacker has an exact time representation of when the server started, there will be absolutely no way to tell where the sway will be at the time. Just make it miniscule, but at the same time make it effective enough that an aimbot at long ranges would be rendered useless. You can also deny rotation speed to a certain rate per second to prevent those "amazing 180 no-scope" videos that little cod hacker children seem obsessed with.
Hackers will always devise ways to try to break into your game, but if you stay ahead of the curve by knowing how they work, you can easily defend your game from it.
09/12/2013 (4:53 pm)
@Demo: Lots of good points there, I'm using the beta tester model there for my own projects. I give them lots of incentives to help out around the community and while there's always the random troll or negative impulse source form the old T2 communities, I generally keep a professional and positive tone to completely weed them out of the community.@Stefan: Well you can kiss ALL efficient R-P progression systems goodbye with that ideology.
In terms of blocking hackers from getting into your game, encryption generally works for keeping the important stuff handled, you obviously do NOT want to make the mistake that activision and their relative studios have made for the past 6 - 8 years with CoD leaving their key progression systems in plaintext and plain numerical format. Doing so just leaves the door open to this. Sure they can back up their claims of "oh, we can just ban them", but honestly, what more are they doing than exposing even more of their systems to potential hacking and bypassing. I'm sure a majority of you are aware that M$'s console banning system has pretty much become irrelevant to most JTAG modders because they have exposed it to too many users and bypasses and complete disabling of the systems were devised. So in terms of looking to the "big guys" for example, they honestly are using outdated and obsolete practices that will pretty much be all but rendered useless in the near term.
To protect your game, you want to secure the most important parts of the game (IE: Monetary, Progression, Stats) with some form of encryption. You really aren't using that much more space than you would be without it in place. Obviously some of the more necessary components of the game (player movement, behaviors, ect) are unfortunately exposed to generalized hacks such as speed hacking and aimbots, but those can easily be averted as well.
T3D handles the speed hackers quite well with it's internal pack/unpack networking system, you can't modify a datablock's fields in game without re-transmitting it to all of the clients, so a hacker's "self" tool would actually work for all players which honestly gives them no added benefit.
In terms of aimbots, these would require a little more C++ trickery, but you can add random sway to targeting systems using a UTC time for a seed, so unless the hacker has an exact time representation of when the server started, there will be absolutely no way to tell where the sway will be at the time. Just make it miniscule, but at the same time make it effective enough that an aimbot at long ranges would be rendered useless. You can also deny rotation speed to a certain rate per second to prevent those "amazing 180 no-scope" videos that little cod hacker children seem obsessed with.
Hackers will always devise ways to try to break into your game, but if you stay ahead of the curve by knowing how they work, you can easily defend your game from it.
#9
What are you talking about? How do games out there accomplish R-P progression "efficently" then? Because no software engineer worth his salt lets the client connect to the database.
They do it by letting the client connect to the game server, which connects to the database and handles all SQL-queries.
This is well known practice, mentioned here by HPlus as well.
I'm sorry but this isn't true. A hacker can't change a datablock on the server. Speed hacking is done in games where the client is authorative on movement, where it tells the server its position/velocity. This isn't how Torque works.
09/13/2013 (11:29 am)
Quote:@Stefan: Well you can kiss ALL efficient R-P progression systems goodbye with that ideology.
What are you talking about? How do games out there accomplish R-P progression "efficently" then? Because no software engineer worth his salt lets the client connect to the database.
They do it by letting the client connect to the game server, which connects to the database and handles all SQL-queries.
This is well known practice, mentioned here by HPlus as well.
Quote:T3D handles the speed hackers quite well with it's internal pack/unpack networking system, you can't modify a datablock's fields in game without re-transmitting it to all of the clients, so a hacker's "self" tool would actually work for all players which honestly gives them no added benefit.
I'm sorry but this isn't true. A hacker can't change a datablock on the server. Speed hacking is done in games where the client is authorative on movement, where it tells the server its position/velocity. This isn't how Torque works.
#10
You have to be vigilant in all aspects of your system, from the website, forums, billing system, to the game (client, servers, database, etc).
in terms of the griefing factor in your game that depends on your game design and restrictions you develop to prevent it or not.
But some general concepts.
-isolation if its only one hop from your web site to you gaming database or your billing database, your likely to be in big trouble. cross site scripting might even be able to easily find a whole in all that php you use (if that's what you picked) and blammo they download your entire database and never have to crack anything, no encryption, no snooping, breaking into machines nothing. don't make it easy by over simplifying your architecture.
-minimal installs on hardware. the more stuff running on your game machines, web machines, billings machines the more potential ways into your system.
-sure you can encrypt stuff, but its not usually encrypted in memory on your machine so I can do replay attacks, edit the data in memory and let your game send the data all nice and encrypted for me.
-so never trust the client. one more time, never trust the client. server has to be the authority, always. as soon as you don't do that you have another hack/grief/way to gain advantage. if you have to trust the client for something make sure you weight the impact if its discovered and abused.
-simple system things, don't leave extra ports running, do you really need sendmail running on all the servers, do you need ftp, ssh, why are you letting remote connections to log in as root (if using Linux) why are you not limited to internal connections, specific ports, etc. how do admins get in? do they have a certificate of authority of some sort, is it whitelisted by ip? whats your security model for them?
it goes on and on, but you should get the impression that security has to be part of your development from the very beginning. you don't tack it on later, your don't think about it later. you use good engineering practices for security all along the way. Security becomes part of the process, part of the testing, it becomes multiple layers and those layers have some overlap but cover different angles.
think of it like banks, you have a login and password, but then it checks stuff about whether the machine your using is in its white list, and then it asks for a pin, maybe even security questions. all layers of security beyond just the default login/pass.
of course you have to balance it with performance, how intrusive it is, how it impacts the user experience (but hey think about the user experience without it).
There is a lot to security, its not one thing, its everything.
09/13/2013 (4:24 pm)
There is no golden hammer solution for security. Being secure is not a do this one thing and your good. Security is a combination of good development practices, using the right tech in the right places, have good policies and procedures about how to handle data, defining levels of data significance (obviously credit card data is a higher impact to your business than a persons in game tag or kill count).You have to be vigilant in all aspects of your system, from the website, forums, billing system, to the game (client, servers, database, etc).
in terms of the griefing factor in your game that depends on your game design and restrictions you develop to prevent it or not.
But some general concepts.
-isolation if its only one hop from your web site to you gaming database or your billing database, your likely to be in big trouble. cross site scripting might even be able to easily find a whole in all that php you use (if that's what you picked) and blammo they download your entire database and never have to crack anything, no encryption, no snooping, breaking into machines nothing. don't make it easy by over simplifying your architecture.
-minimal installs on hardware. the more stuff running on your game machines, web machines, billings machines the more potential ways into your system.
-sure you can encrypt stuff, but its not usually encrypted in memory on your machine so I can do replay attacks, edit the data in memory and let your game send the data all nice and encrypted for me.
-so never trust the client. one more time, never trust the client. server has to be the authority, always. as soon as you don't do that you have another hack/grief/way to gain advantage. if you have to trust the client for something make sure you weight the impact if its discovered and abused.
-simple system things, don't leave extra ports running, do you really need sendmail running on all the servers, do you need ftp, ssh, why are you letting remote connections to log in as root (if using Linux) why are you not limited to internal connections, specific ports, etc. how do admins get in? do they have a certificate of authority of some sort, is it whitelisted by ip? whats your security model for them?
it goes on and on, but you should get the impression that security has to be part of your development from the very beginning. you don't tack it on later, your don't think about it later. you use good engineering practices for security all along the way. Security becomes part of the process, part of the testing, it becomes multiple layers and those layers have some overlap but cover different angles.
think of it like banks, you have a login and password, but then it checks stuff about whether the machine your using is in its white list, and then it asks for a pin, maybe even security questions. all layers of security beyond just the default login/pass.
of course you have to balance it with performance, how intrusive it is, how it impacts the user experience (but hey think about the user experience without it).
There is a lot to security, its not one thing, its everything.
#11
09/13/2013 (6:49 pm)
I like lots of the responses so far; Particularly the responses from Robert Fritzen and TheMartian. They really seem to know what they talking about It is very interesting and I learning some things. I am very new to lots of this and have a tremendous amount I must learn, but this is a question I figure I was gonna need to ask soon or later anyway.
#12
As per the speed hack comment, one of the players who I used to collude with on Tribes 2 would gladly disagree with you before demonstrating that very exploit you just said was not possible before sending everyone running around "Katabatic" at 1600x normal speed. :)
All in all, there's a great deal of good points in this topic, you're always going to be in a constant battle against new hacking methods, but employing a good service and a line of updates based on the input of your players can remedy the problems.
09/16/2013 (1:56 pm)
@Stefan: I must have misunderstood there. Obviously the client doesn't run SQL directly on the database, but it goes through a PHP script which does the SQL via prepared statements. I just state it in that manner since the PHP code is so basic that I don't count it as so, my mistake.As per the speed hack comment, one of the players who I used to collude with on Tribes 2 would gladly disagree with you before demonstrating that very exploit you just said was not possible before sending everyone running around "Katabatic" at 1600x normal speed. :)
All in all, there's a great deal of good points in this topic, you're always going to be in a constant battle against new hacking methods, but employing a good service and a line of updates based on the input of your players can remedy the problems.
Torque Owner Lukas Joergensen
WinterLeaf Entertainment
2. You should always be aware of people doing extraordinarily good, but imo you can never know the maximum potential.
3. Yes this would be must-have for competitive games.
4. This is what Riot games are doing with League Of Legends, as a matter of fact they hired a bunch of psychologists to examine the human mind and how to manipulate players to behave nicer.