For UT2004, you can ban by player GUID (a hash of the CD key) or IP. With the game abandoned by Epic, a number of key generators have cropped up, which makes GUID bans useless. IP bans only go so far with VPNs costing $2 these days.
The main solutions we have today are IP ban + VPN blocking using a database of known VPN subnets and adding them all to the firewall, and a similar fingerprinting technique which scans their folder structure of certain system folders.
It was made for Tremulous (ioquake3 fork) where people kept evading IP bans, but it can be used for any other games.
It is not my project, but I know the author, and I could personally fork it and make it suitable for specific (or any) games if there is demand for it.
You may also use heuristics, too, in schachtmeister2:
Even without this IP bans only go so far as they're both easily swapped (VPN offers, or rent a VPS to forward traffic, or even by design with an ISP handing out dynamic IPs on router reboot) AND overreaching:
- NAT: ban household / campus
- CGNAT: ban whole neighbourhood
- IPv6: ban whole /64 => whole household (because of SLAAC + random privacy addresses)
On a counter-strike 1.6 server I help with moderating, we have the occasional cheater roll by, surprisingly often "ragehacking" with no attempt at subtlety (e.g. making noscope sniper headshots in mid air).
Since the server owner insists on allowing non-steam accounts (pirated copies) to connect we can't rely on SteamID bans, similarly to GUID in Unreal. It's a bit trickier to change the spoofed ID as I assume it's buried deep in the game install somewhere obscure, but still possible. It's actually a very popular game in northern Africa, the former Baltic states and surrounding areas as well as north and west Asia: without these players the server would be a ghost town.
Anyway, our approach is twofold carrot and stick style: Steam players get near instant reloads and immunity to some of the more "enthusiastic" automodding/kick features: so for the price of a handful of VPN keys you can get a legitimate, allowed advantage over most of the server population as well as reserved username and "VIP" tag, plus you now own the game. Seems a great way to do it, as it's available to anyone instantly for that one time fee (which goes direct to the game dev), or for free by playing at least 1 game a week for 5 weeks, then contacting the mod team on social media.
The other side to that (the stick), is that rather than simply kick/ban the player we usually take some time to have fun annoying them, to show them they're really not welcome, and make them actively not want to come back.
Disarming them then giving F tier weapons, a few random teleports out of bounds or stuck in the floor, repeat amx_rocket to turn them into a firework, amx_drug to max out FOV and add "drunk" effect, and ofc a bit of teasing about what a lowskill looser you must be to have fun while AI plays the game for you.
There's also "illegal" amx plugins and commands, which are generally frowned upon and extremely abusable, but quite useful in these situations. My favorite (which most of the "illegal plugins" are based around) is amx_exec which essentially gives admins direct access to any client's in-game console, to run any command or set any setting!
It's actually kind of terrifying that exists. For example this set of commands sets network baudrate to 1000 (that'll be fun for the cheater until they notice), changes name, wipes all keybinds, then binds the default chat key to close the game, while setting max FPS low enough to be bothersome without being obvious! There are pre-built macros that do far worse to your settings too: although easily fixable by deleting to restore defaults, would be very frustrating if you hadn't backed up your config files.
On an intriguing side note:
Many servers charge for VIP advantages, to the tune of up to $20/month! At first I thought this pretty shocking, until I found out that there's some kinda shady clique where to be listed in a reasonable spot on 3rd party server browsers, a hefty fee is required, and a significant proportion of this income gets spent on "boosts".
When our server owner stopped paying for "boost" for two months, mean player count dropped from 14/32 to 3/32, and max players from a regular 28/32 on weekends, to 12/32 on a Friday night if lucky. The player count rocketed as soon as the owner started paying again... but the crazy thing is it's $180/month!
Before getting involved with moderating, I thought running a fun, deathmatch, well moderated, low ping, high performance server dedicated to remakes/remixes of the 2nd most popular map in the game would be enough to be popular/busy. But no, apparently you have to pay extortionate fees to incumbent gatekeepers, if you want your server to be visible to the majority of the playerbase!
> There's also "illegal" amx plugins and commands, which are generally frowned upon and extremely abusable, but quite useful in these situations. My favorite (which most of the "illegal plugins" are based around) is amx_exec which essentially gives admins direct access to any client's in-game console, to run any command or set any setting!
Yes, we have something similar for UT2004, but only a handful of people are even aware it exists. It's too powerful and too easily abused. I have yet to share it, even with other admins.
Changing steamid is easily doable on most nosteam cs 1.6 copies through a cfg file.
I used to administrate CS 1.6 until a few years ago. I got a question concerning amx_exec. I thought cl_filterstuffcmd basically killed any usage admin slowhacking?
or is it that most nosteam cs 1.6 client have it set to 0 ?
It seems to me that what is needed is a "provisional" server that grants you access to the "good" server.
So an GUID accumulates reputation after some amount of play in the provisional server. If you get enough reputation by not cheating, the GUID gets whitelisted for the "good" server. You can have multiple tiers, so the really good/fun people get to the third of fourth tier of demonstrated non-cheating.
If they cheat, get banned, they need to climb the tiers with GUIDs again. The cheaters will want to cheat, they won't want to pay the dues. The legit players will happily try to get to the second and third tiers, so you could probably just require 1 hour of not-cheating for the first tier of server, and then maybe 8 hours to get to the third tier.
You could shadowban/honeypot after the first tier, so you shut all cheaters that you detect to their own cheater server where the cheaters can all get shunted to.
I don't understand why cheaters are such a problem when it comes to bans.
Why ban them? Flag them as cheaters behind the scenes, and let them only join cheater-only servers. They'll stop soon enough.
It's like telling a web scraper that its IP was banned. It's stupid cause you will have nothing to gain from that strategic move. A better way is to flag a web scraper IP behind the scenes, and give them only garbage data, randomly injected/inserted into the pages. That'll teach them not to scrape your website :D
In my opinion the same goes for cheat detection. You will only lose the strategic advantage you have by banning them, because rotating IPs or CD keys or accounts is just a minor inconvenience for them.
This still leaves you wide open to cheaters using mobile data tethering and proxies. Have you considered more advanced network analysis? It's one of the areas I have an interest in (professionally and personally) so if you want any suggestions let me know.
VPN or mobile IPs (blacklisted) must pay for a key ($20/year) that allows posting from blacklisted IPs. Key is good for posting from one blacklisted IP, locked for 30 minutes, so users cannot share keys. That way, you can ban the user by their key, if their IP is public.
It's not a perfect solution but it seems to be the best they've found for such a situation so far.
> This still leaves you wide open to cheaters using mobile data tethering and proxies
Is latency going to be good enough on mobile data (especially if they're also using proxies) for a FPS, though? Sure, they're using cheating software, but I wouldn't be surprised if the software gets the information it needs to cheat too late often enough for it to be useful.
Using a VPN with WireGuard can actually reduce latency if your ISP has poor routing to the game server, as a VPN with better peering or routing paths can improve your connection. It’s not always the case, but with a decent provider, you might see lower ping in certain situations.
When I was in the dormitory (~6-8 years ago), I used VPN (OpenVPN on my private VPS) over UDP port 53 to omit the firewall which was configured to block big parts of ports.
Can help routing induced latency as the other comment says (or force a new route if having downstream issues with your ISP peering), and some games in the past could leak IPs especially if using a p2p model and a VPN can mitigate that (especially one that only routes traffic for the game).
IIRC you also need one when playing from some countries, whether due to legal reasons or server restrictions.
There's a bunch of services that can moderately reduce latency by using better paths. Specially worth it if you want to play with friends in servers farther than 1000km away.
the cheats are software, software has certain quirks, like the way it aims or the way it tracks. And I'm willing to bet it has enough distinctiveness from human aiming to be classified. Couldn't a classifier work on the behavior of the cheating software itself, rather than use IP bans?
It's more effort than it's worth. There are server aimbot scanners which do something like this. There are also aimbots written to thwart this type of detection, adding delays, random drift, etc. It's a cat and mouse game. We don't have a lot of players left so it's not that much of an issue.
This is part of what Valve does in CS. It works pretty well but it does have false positives so it requires user intervention for confirmation of bans.
In order to actually catch a cheater mid-match rather than long after the match is already over, you'd need the servers that players are interacting through to have enough CPU grunt-force to do that kind of analysis "faster than realtime" — i.e. for the server's CPU to be able to run the game's physics faster than any client can, so it can run the physics with extra math in the same time it takes the clients to just run the physics.
Which might be something you could guarantee, if the game were locked to wimpy console hardware; or if the game had minimal CPU physics such that it was effectively never running CPU-bottlenecked and there were massive gaps in frame-time where even the client CPUs are sitting idle, that a server running in lockstep could cram that kind of analysis into.
But gaming is a race-to-the-top, hardware-wise. The CPU in a gaming rig might not have as many cores as your average server CPU, but it's almost certainly going to have higher single-core perf.
And part of the reason for that, is that games really do try to use your whole CPU (and GPU), with AAA studios especially being factories for constant innovation in new ways to make even the minimum requirements just to run a game's physics, higher and higher every year.
And if the server can't do "faster than realtime" analysis of the streams of inputs of the players, then by queuing theory, it'll inevitably get infinitely backlogged — the server will keep receiving new analysis work to do every timestep, and will fall further and further behind, never catching up until new work stops being generated — i.e. until the match is over. And then it'll have to probably sit there for five more minutes thinking really hard before spitting out a "hey, wait just a minute..." about any given match.
Which is fine if there's a big central lobby server that the game is forced to connect to, and your goal is to ensure that some central statistic that that central server relies upon (e.g. match-rank ELO) gets calculated correctly, such that cheaters are prevented from climbing the leaderboards / winning their way into high-ranked play. (And that's exactly the situation the big eSports games companies are in.)
But in the context of older games that use arbitrary hosted servers and random-pairing (or manual lobby-based match selection) — or in modern, but "dead", games, that only persist due to being modded to accept private servers — this "after-the-fact" punishment is useless, as most servers have no incentive to do this analysis, especially when cheaters can just hop around between servers. So there's nothing preventing people from being matched with cheaters, sometimes over and over again, if the cheaters can just tell their clients to roll up with a new key+IP for every match.
...and that's assuming there even are servers. You can forget about any of this working in a p2p context. (Think about what a Sybil attack means in the context of a federated set of individual tiny disconnected p2p networks.)
Yes, we have a whitelist ability also, but it is definitely a last resort. The game is mostly dead and difficult to discover for new players. We don't want that roadblock if we can avoid it.
> The main solutions we have today are IP ban + VPN blocking using a database of known VPN subnets and adding them all to the firewall, and a similar fingerprinting technique which scans their folder structure of certain system folders.
No. VPN blocking is useless to stop malicious actors as most residential connections have DHCP and VPN subnets are added and removed somewhat frequently, it's not that hard to find a "undocumented" one. It also completely excluds anyone using a VPN for non-malicous purposes.
Scanning files and folders is just ridiculous, not only an incredible invasion of privacy, but also trivial to work around.
VPN blocking is a cheap mitigation that stops 95% of the problematic traffic without removing a meaningful number of legitimate users.
Yes it doesn't "solve" the problem, and yes it removes some legitimate users, but it's by no means useless. Given the tradeoffs involved I'm not at all surprised it's so common.
If you have a solution that's less invasive (e.g., some businesses can get away with not providing anything expensive till after a payment has cleared the normal fraud window, and many businesses don't have obscene levels of malicious traffic; in those cases you can just let bad traffic run rampant and ignore it till it's a problem) then that's probably better, but blocking VPNs or whole countries or whatever can be the difference between a successful business and bankruptcy.
IP bans are fundementally flawed since you can't assume a static IP in the vast majority of cases anymore, if you rely on an IP blocklist then it's inevitable that you will end up hurting the experience of small amount of unlucky but innocent players. I suppose this might be more of an issue on ipv4 than it could be on ipv6, but really you should always expire IP bans to avoid issues like these, or you want to combine another data point with the IP such as a hardware ID (or a hash of a combination of hardware IDs). Cheaters do know this so even if we could assign everyone a static ipv6 they would likely just disable ipv6 support on their NIC and rely on their ipv4 exit ip.
Edit: If you don't think this is an issue I urge you to Google "pokemon go belgium ip ban" for a fun rabbit hole.
Sort of. Doesn't make sense to ban a single v6, you'd start by banning at the /64 level and move on to banning shorter prefixes from there.
You quickly run into the same kinds of problems you do in v4 though; most users have access to a shared pool of addresses, and you may need to ban the whole pool to ban an abuser, but then you also ban everyone else in that pool, and the abuser is more likely to have ability and motivation to use other pools.
It's better if you have multiple factors... if you don't like the IP, don't ban it, but be stricter on other measures, etc. So a well behaved client from a 'bad ip' can still play, but enough suspicious things and you can't play anymore.
Where it gets interesting is when documentation uses a typoed reserved address (e.g. 189.51.100.1 or 198.15.100.1). There are actually several RFCs that do this.
Server side only anti-cheat is one of the problem domains that I'd really love to work on at some point in my career. This is the type of adversarial arms race that just seems really fun to think long and hard about.
Only problem is, a lot of companies do NOT want to pay for it. It's 'treadmill work'. No matter how many people and how much money you throw at the problem, it still ends up just coming back. It's a losing battle because there are many, many more players than there are developers.
> Only problem is, a lot of companies do NOT want to pay for it.
Because they're 10 years behind the curve and don't understand that a game's lifespan is contingent on anti-cheat. Once it becomes clear to the casual player that a hacker is going to effect every gaming session, the game dies quickly. Many games have gone so far as to obfuscate the presence of hackers so that players are less likely to notice them (CoD)! Other games build from the ground up with anti-cheat in mind (Valorant). Other games have an ID verified 3rd party system for competitive play (CSGO).
Personally, I think there is a middle ground between root level hardware access, and treating cheating as an afterthought. I'd lean more heavily on humans in the process... Use ML models to detect potential cheaters, and build a team of former play testers to investigate these accounts. There is zero reason a cheater should be in the top 100 accounts; An intern could investigate them in a single day! More low hanging fruit would be investigating new accounts that are over-performing. I'd also change the ToS so legal action could be persued for repeat offenders. Cheaters do real economic damage to a company, and forcing them to show up in small claims court would heavily de-incentivize ban evaders. This probably sounds expensive and overkill, but in the grand scheme of things it's cheap; it could be done on the headcount budget of 2-3 engineers. It'd also be a huge PR win for the game.
1. Determine minimum human reaction times and limit movement to within those parameters on the client side. (For example a human can't swing their view around [in a fps] in a microsecond so make that impossible on the client) this will require a lot of user testing to get right, get pro players and push their limits.
2. Build a 'unified field theory' for your game world that is aware of the client side constraints as well as limits on character movement, reload times, bullet velocities, etc. Run this [much smaller than the real game] simulation on server.
3. Ban any user who sends input that violates physics.
Now cheating has to at look like high level play instead of someone flying around spinbotting everyone from across the map. Players hopefully don't get as frustrated when playing against cheaters as they assume they are just great players. Great players should be competitive against cheaters as well.
Something I'm working on now. The real issue is that you get more perf hits trying to do all the important stuff server side, so devs have become lazy and offloaded more to the client than they should have, and then that became the standard. Moving all important actions server side isn't easy or cheap but it's how you prevent cheating much more holistically.
Now add in that I'm running a physics-heavy game with 120 tickrate, (considering higher after more tests), with fine motor control action combat, aimed to scale to mmorpg size, and it really becomes a challenge!
The state of the art is pretty boring and you can learn about user command payloads in an afternoon.
The world is much more complex now that YOLO-based aimbots exist, and I think the real answer is that anti-cheats are now defeatable, period.
You can craft a private binary that has no hash registered to any major anti-cheat service on the client-side, and on the server-side you’re limited to what is allowed by game rules.
Since there’s no mechanisms for preventing super human reflexes, and there probably shouldn’t be, it’s an issue that cannot be solved anymore.
So you need community judgement, and that too is boring. Good players being accused of cheating in Counter Strike is a years old and entertaining problem.
It also significantly improves people's lives. Entire online games are reduced to no man's lands due to cheaters. I remember buying a number of battlefield games a couple years ago and a number of them were unplayable due to cheaters speedhacking and aimboting. I remember thinking "this is easy to detect on the server side, why arent they doing anything".
This isn't about stopping cheaters (cheat detection). This is about stopping repeat cheaters trying to ban evade. Detecting cheats, especially nowadays with hardware cheats (DMA, etc), is an entirely different ballgame.
IMHO, one of the most effective way to stop ban evaders is to actually charge money for the game.
Why pay for the game when you can go to an onion site that will sell you hundreds of compromised accounts that own the game for a fraction of the price?
Charging money and banning at the payment provider level can be quite effective. It isn't a perfect answer but it cuts out gigantic chunks of the problem space.
I'll take a ~99% cheat-free experience over not having any improvement at all.
That's fair. There will always be cheaters like this. However, anecdotally, after CS or any other game I've played that went free-to-play, cheaters became a much much larger problem: from seeing one every now and again, to at least one in nearly every match.
>IMHO, one of the most effective way to stop ban evaders is to actually charge money for the game.
Cheaters are NOT price sensitive. This is their preferred form of entertainment, ie being a king in their little kiddie pool, so they don't care to spend $60 every month on a new account/gamekey/whatever you charge them.
People in CS:GO are perfectly happy to be banned with hundreds of dollars of skins in an account, because they either spent like $5 getting someone else's compromised account, or they are paying $30 a month to a cheat service anyway.
I bet there is a shit ton of overlap between frequent cheaters and pay-to-win whales.
The reliable way to make people cheat in your game less is cheater honeypots. Instead of banning and just starting the hunt for a cheater all over again when they buy a new account, you silently force them into matchmaking with only other cheaters, purposely abusive bots, or artificially harming the cheater's gameplay like with fake lag, or just ignore keypresses sometimes. Ruin their fun and they will stop ruining your game. Then you turn the adverse knowledge game on them, they have to figure out if they are regularly playing with cheaters or bots in order to know they need to buy a new account.
Banning by TPM also makes ban evasion pretty expensive. At which point the cheater has to either buy a new mobo or solder a new TPM chip onto their mobo (not always possible). Though I guess at some point a sloppy vendor will leak TPM keys and it'll be spoof-able.
Players from big countries often miss out on the sense of community that exist in smaller ones. When there are only 3-4 servers worth of people playing a game every day you quickly come to know them all, which really adds to the banter and sense of enjoyment.
I’ve gotten a taste of that experience playing older multiplayer games that have a small player base. I much prefer it to games with millions of players where you’ll never see the people you play a match with again
I also love games with community ran servers for the same reason
If you’re old enough you remember favoriting servers in Gamespy. You’d end up on the same servers depending on who is there and mainly how good your connection was.
> If a player joins with a different Steam ID but with an IP address that is already banned, the system now re-bans them
This works great until you realize you're punishing innocent players because of CGNAT and IP addresses getting rotated. Cheaters usually know how to get their router to request a new IP address. That IP address then gets assigned to someone else later.
This scenario definitely did pop up and we would review it on a case by case basis to unban users or make exceptions. However, it was quite rare. Only a handful of reported instances over several months. If our servers were more popular we definitely would have run into it a lot more.
No, not specifically. That section is still written under the misconception that IPs are bound to households, or static networks like university networks. Instead they can swap at the very least country wide (or rather, however the provider manages the IP addresses it controls). Their mental model is just not how the internet works.
By using IP as the ban id they created a system that constantly and regularly banned completely innocent steam IDs, thinking they are somehow linked when a new steam id uses a banned IP, which is nonsense. They just did not notice because the banned gamers did not complain.
I always found it funny how ip bans seemed to be so popular despite being apparently completely ineffective until I realized this was mostly a US thing. In my country (2 of them that I've lived in, in fact) ISPs always assign the client a dynamic address from their very large pools every time I reconnect. This was as true back in the 28.8kb dial up days as it is in the 10gbit FTTH days we live in. Having a static IP address here has always been a service you have to pay for.
I remember this being hilarious when idiots would ip ban me back on the IRC days: "oh no, I have to press the reconnect button!"
> I only shared the solution and technique with one other server operator I fully trusted based in the UK
I think that was us! We ended up combining it with other fingerprinting indicators, but the whole 'use VGUI' was a surprisingly effective way at handling this. I believe they removed the web browser in ~2018, which was disappointing. Being able to have custom skill trees / fun integrations with servers was really powerful!
Readit News
The main solutions we have today are IP ban + VPN blocking using a database of known VPN subnets and adding them all to the firewall, and a similar fingerprinting technique which scans their folder structure of certain system folders.
https://redman.xyz/doku.php/schachtmeister2 was made specifically against people using VPNs.
It was made for Tremulous (ioquake3 fork) where people kept evading IP bans, but it can be used for any other games.
It is not my project, but I know the author, and I could personally fork it and make it suitable for specific (or any) games if there is demand for it.
You may also use heuristics, too, in schachtmeister2:
Edit: I noticed that the git repository returns 502, contacted the maintainer.Even without this IP bans only go so far as they're both easily swapped (VPN offers, or rent a VPS to forward traffic, or even by design with an ISP handing out dynamic IPs on router reboot) AND overreaching:
- NAT: ban household / campus
- CGNAT: ban whole neighbourhood
- IPv6: ban whole /64 => whole household (because of SLAAC + random privacy addresses)
I don't play online anymore because I get destroyed but it's still fun to pop in for a quick match against AI when I have 30 minutes to kill.
Since the server owner insists on allowing non-steam accounts (pirated copies) to connect we can't rely on SteamID bans, similarly to GUID in Unreal. It's a bit trickier to change the spoofed ID as I assume it's buried deep in the game install somewhere obscure, but still possible. It's actually a very popular game in northern Africa, the former Baltic states and surrounding areas as well as north and west Asia: without these players the server would be a ghost town.
Anyway, our approach is twofold carrot and stick style: Steam players get near instant reloads and immunity to some of the more "enthusiastic" automodding/kick features: so for the price of a handful of VPN keys you can get a legitimate, allowed advantage over most of the server population as well as reserved username and "VIP" tag, plus you now own the game. Seems a great way to do it, as it's available to anyone instantly for that one time fee (which goes direct to the game dev), or for free by playing at least 1 game a week for 5 weeks, then contacting the mod team on social media.
The other side to that (the stick), is that rather than simply kick/ban the player we usually take some time to have fun annoying them, to show them they're really not welcome, and make them actively not want to come back.
Disarming them then giving F tier weapons, a few random teleports out of bounds or stuck in the floor, repeat amx_rocket to turn them into a firework, amx_drug to max out FOV and add "drunk" effect, and ofc a bit of teasing about what a lowskill looser you must be to have fun while AI plays the game for you.
There's also "illegal" amx plugins and commands, which are generally frowned upon and extremely abusable, but quite useful in these situations. My favorite (which most of the "illegal plugins" are based around) is amx_exec which essentially gives admins direct access to any client's in-game console, to run any command or set any setting!
It's actually kind of terrifying that exists. For example this set of commands sets network baudrate to 1000 (that'll be fun for the cheater until they notice), changes name, wipes all keybinds, then binds the default chat key to close the game, while setting max FPS low enough to be bothersome without being obvious! There are pre-built macros that do far worse to your settings too: although easily fixable by deleting to restore defaults, would be very frustrating if you hadn't backed up your config files.
amx_exec cheatername "rate 1000" amx_exec cheatername "name iCaNtAiM" amx_exec cheatername "unbind all" amx_exec cheatername "bind y quit" amx_exec cheatername "fps_max 50"
On an intriguing side note: Many servers charge for VIP advantages, to the tune of up to $20/month! At first I thought this pretty shocking, until I found out that there's some kinda shady clique where to be listed in a reasonable spot on 3rd party server browsers, a hefty fee is required, and a significant proportion of this income gets spent on "boosts".
When our server owner stopped paying for "boost" for two months, mean player count dropped from 14/32 to 3/32, and max players from a regular 28/32 on weekends, to 12/32 on a Friday night if lucky. The player count rocketed as soon as the owner started paying again... but the crazy thing is it's $180/month!
Before getting involved with moderating, I thought running a fun, deathmatch, well moderated, low ping, high performance server dedicated to remakes/remixes of the 2nd most popular map in the game would be enough to be popular/busy. But no, apparently you have to pay extortionate fees to incumbent gatekeepers, if you want your server to be visible to the majority of the playerbase!
Yes, we have something similar for UT2004, but only a handful of people are even aware it exists. It's too powerful and too easily abused. I have yet to share it, even with other admins.
I used to administrate CS 1.6 until a few years ago. I got a question concerning amx_exec. I thought cl_filterstuffcmd basically killed any usage admin slowhacking?
or is it that most nosteam cs 1.6 client have it set to 0 ?
So an GUID accumulates reputation after some amount of play in the provisional server. If you get enough reputation by not cheating, the GUID gets whitelisted for the "good" server. You can have multiple tiers, so the really good/fun people get to the third of fourth tier of demonstrated non-cheating.
If they cheat, get banned, they need to climb the tiers with GUIDs again. The cheaters will want to cheat, they won't want to pay the dues. The legit players will happily try to get to the second and third tiers, so you could probably just require 1 hour of not-cheating for the first tier of server, and then maybe 8 hours to get to the third tier.
You could shadowban/honeypot after the first tier, so you shut all cheaters that you detect to their own cheater server where the cheaters can all get shunted to.
Why ban them? Flag them as cheaters behind the scenes, and let them only join cheater-only servers. They'll stop soon enough.
It's like telling a web scraper that its IP was banned. It's stupid cause you will have nothing to gain from that strategic move. A better way is to flag a web scraper IP behind the scenes, and give them only garbage data, randomly injected/inserted into the pages. That'll teach them not to scrape your website :D
In my opinion the same goes for cheat detection. You will only lose the strategic advantage you have by banning them, because rotating IPs or CD keys or accounts is just a minor inconvenience for them.
Regular IPs can post freely
VPN or mobile IPs (blacklisted) must pay for a key ($20/year) that allows posting from blacklisted IPs. Key is good for posting from one blacklisted IP, locked for 30 minutes, so users cannot share keys. That way, you can ban the user by their key, if their IP is public.
It's not a perfect solution but it seems to be the best they've found for such a situation so far.
Is latency going to be good enough on mobile data (especially if they're also using proxies) for a FPS, though? Sure, they're using cheating software, but I wouldn't be surprised if the software gets the information it needs to cheat too late often enough for it to be useful.
Deleted Comment
Cheaters, which is why they’re getting banned in the first place
IIRC you also need one when playing from some countries, whether due to legal reasons or server restrictions.
the cheats are software, software has certain quirks, like the way it aims or the way it tracks. And I'm willing to bet it has enough distinctiveness from human aiming to be classified. Couldn't a classifier work on the behavior of the cheating software itself, rather than use IP bans?
Which might be something you could guarantee, if the game were locked to wimpy console hardware; or if the game had minimal CPU physics such that it was effectively never running CPU-bottlenecked and there were massive gaps in frame-time where even the client CPUs are sitting idle, that a server running in lockstep could cram that kind of analysis into.
But gaming is a race-to-the-top, hardware-wise. The CPU in a gaming rig might not have as many cores as your average server CPU, but it's almost certainly going to have higher single-core perf.
And part of the reason for that, is that games really do try to use your whole CPU (and GPU), with AAA studios especially being factories for constant innovation in new ways to make even the minimum requirements just to run a game's physics, higher and higher every year.
And if the server can't do "faster than realtime" analysis of the streams of inputs of the players, then by queuing theory, it'll inevitably get infinitely backlogged — the server will keep receiving new analysis work to do every timestep, and will fall further and further behind, never catching up until new work stops being generated — i.e. until the match is over. And then it'll have to probably sit there for five more minutes thinking really hard before spitting out a "hey, wait just a minute..." about any given match.
Which is fine if there's a big central lobby server that the game is forced to connect to, and your goal is to ensure that some central statistic that that central server relies upon (e.g. match-rank ELO) gets calculated correctly, such that cheaters are prevented from climbing the leaderboards / winning their way into high-ranked play. (And that's exactly the situation the big eSports games companies are in.)
But in the context of older games that use arbitrary hosted servers and random-pairing (or manual lobby-based match selection) — or in modern, but "dead", games, that only persist due to being modded to accept private servers — this "after-the-fact" punishment is useless, as most servers have no incentive to do this analysis, especially when cheaters can just hop around between servers. So there's nothing preventing people from being matched with cheaters, sometimes over and over again, if the cheaters can just tell their clients to roll up with a new key+IP for every match.
...and that's assuming there even are servers. You can forget about any of this working in a p2p context. (Think about what a Sybil attack means in the context of a federated set of individual tiny disconnected p2p networks.)
No. VPN blocking is useless to stop malicious actors as most residential connections have DHCP and VPN subnets are added and removed somewhat frequently, it's not that hard to find a "undocumented" one. It also completely excluds anyone using a VPN for non-malicous purposes.
Scanning files and folders is just ridiculous, not only an incredible invasion of privacy, but also trivial to work around.
Yes it doesn't "solve" the problem, and yes it removes some legitimate users, but it's by no means useless. Given the tradeoffs involved I'm not at all surprised it's so common.
If you have a solution that's less invasive (e.g., some businesses can get away with not providing anything expensive till after a payment has cleared the normal fraud window, and many businesses don't have obscene levels of malicious traffic; in those cases you can just let bad traffic run rampant and ignore it till it's a problem) then that's probably better, but blocking VPNs or whole countries or whatever can be the difference between a successful business and bankruptcy.
Edit: If you don't think this is an issue I urge you to Google "pokemon go belgium ip ban" for a fun rabbit hole.
You quickly run into the same kinds of problems you do in v4 though; most users have access to a shared pool of addresses, and you may need to ban the whole pool to ban an abuser, but then you also ban everyone else in that pool, and the abuser is more likely to have ability and motivation to use other pools.
It's better if you have multiple factors... if you don't like the IP, don't ban it, but be stricter on other measures, etc. So a well behaved client from a 'bad ip' can still play, but enough suspicious things and you can't play anymore.
Deleted Comment
> An example of an IPv4 IP address is 198.51.100.1.
[0] https://www.rfc-editor.org/rfc/rfc5737
Dead Comment
Dead Comment
Because they're 10 years behind the curve and don't understand that a game's lifespan is contingent on anti-cheat. Once it becomes clear to the casual player that a hacker is going to effect every gaming session, the game dies quickly. Many games have gone so far as to obfuscate the presence of hackers so that players are less likely to notice them (CoD)! Other games build from the ground up with anti-cheat in mind (Valorant). Other games have an ID verified 3rd party system for competitive play (CSGO).
Personally, I think there is a middle ground between root level hardware access, and treating cheating as an afterthought. I'd lean more heavily on humans in the process... Use ML models to detect potential cheaters, and build a team of former play testers to investigate these accounts. There is zero reason a cheater should be in the top 100 accounts; An intern could investigate them in a single day! More low hanging fruit would be investigating new accounts that are over-performing. I'd also change the ToS so legal action could be persued for repeat offenders. Cheaters do real economic damage to a company, and forcing them to show up in small claims court would heavily de-incentivize ban evaders. This probably sounds expensive and overkill, but in the grand scheme of things it's cheap; it could be done on the headcount budget of 2-3 engineers. It'd also be a huge PR win for the game.
1. Determine minimum human reaction times and limit movement to within those parameters on the client side. (For example a human can't swing their view around [in a fps] in a microsecond so make that impossible on the client) this will require a lot of user testing to get right, get pro players and push their limits.
2. Build a 'unified field theory' for your game world that is aware of the client side constraints as well as limits on character movement, reload times, bullet velocities, etc. Run this [much smaller than the real game] simulation on server.
3. Ban any user who sends input that violates physics.
Now cheating has to at look like high level play instead of someone flying around spinbotting everyone from across the map. Players hopefully don't get as frustrated when playing against cheaters as they assume they are just great players. Great players should be competitive against cheaters as well.
Now add in that I'm running a physics-heavy game with 120 tickrate, (considering higher after more tests), with fine motor control action combat, aimed to scale to mmorpg size, and it really becomes a challenge!
The world is much more complex now that YOLO-based aimbots exist, and I think the real answer is that anti-cheats are now defeatable, period.
You can craft a private binary that has no hash registered to any major anti-cheat service on the client-side, and on the server-side you’re limited to what is allowed by game rules.
Since there’s no mechanisms for preventing super human reflexes, and there probably shouldn’t be, it’s an issue that cannot be solved anymore.
So you need community judgement, and that too is boring. Good players being accused of cheating in Counter Strike is a years old and entertaining problem.
the what ?!?
Sorry :'( I didn't expect the post to get this much traffic.
IMHO, one of the most effective way to stop ban evaders is to actually charge money for the game.
I'll take a ~99% cheat-free experience over not having any improvement at all.
Cheaters are NOT price sensitive. This is their preferred form of entertainment, ie being a king in their little kiddie pool, so they don't care to spend $60 every month on a new account/gamekey/whatever you charge them.
People in CS:GO are perfectly happy to be banned with hundreds of dollars of skins in an account, because they either spent like $5 getting someone else's compromised account, or they are paying $30 a month to a cheat service anyway.
I bet there is a shit ton of overlap between frequent cheaters and pay-to-win whales.
The reliable way to make people cheat in your game less is cheater honeypots. Instead of banning and just starting the hunt for a cheater all over again when they buy a new account, you silently force them into matchmaking with only other cheaters, purposely abusive bots, or artificially harming the cheater's gameplay like with fake lag, or just ignore keypresses sometimes. Ruin their fun and they will stop ruining your game. Then you turn the adverse knowledge game on them, they have to figure out if they are regularly playing with cheaters or bots in order to know they need to buy a new account.
Deleted Comment
I also love games with community ran servers for the same reason
Deleted Comment
https://en.m.wikipedia.org/wiki/The_All-Seeing_Eye which was sold to yahoo.
Yahoo was a powerhouse back in the day and one that google offered to sell to. The world would be so different if it had.
This works great until you realize you're punishing innocent players because of CGNAT and IP addresses getting rotated. Cheaters usually know how to get their router to request a new IP address. That IP address then gets assigned to someone else later.
By using IP as the ban id they created a system that constantly and regularly banned completely innocent steam IDs, thinking they are somehow linked when a new steam id uses a banned IP, which is nonsense. They just did not notice because the banned gamers did not complain.
I remember this being hilarious when idiots would ip ban me back on the IRC days: "oh no, I have to press the reconnect button!"
I think that was us! We ended up combining it with other fingerprinting indicators, but the whole 'use VGUI' was a surprisingly effective way at handling this. I believe they removed the web browser in ~2018, which was disappointing. Being able to have custom skill trees / fun integrations with servers was really powerful!