Prevention of Hacking for MMORPG
Author
I''m curious as to some of the methods that are used to prevent cheating with MMORPGs or any on-line game.
I think I''ve got my system down pat. For username password protection you can DoS all you want but you still won''t get in. I have IP logging setup if it ever becomes an issue. And faking server assigned ID numbers. DPlay doesn''t reveal your number unless you contact someone directly. And there''s no way I know of to spoof that number. I.e. Pretend to be the server sending a message.
Bogus packets can be eliminated pretty easily by checking to see that the DPlay ID and Server assigned ID match. Also what does it take to figure out the GUID of the server from a remote location? I want to prevent the ability to make a fake client.
All important user information is stored server side.
But what other tactics are used and what is done to prevent those attacks from doing damage? As far as the game. Securing the actual computer it resides on I''ll tackle later.
Ben
http://therabbithole.redback.inficad.com
Well, from what i''ve heard/read most security holes are not from any lack in design or forsight but rather flaws (bugs) in the system. For instance, the diablo hack recently where the player can flood the login server with requests to login as another player, eventually they get in. This is obviously some sort of overflow bug, or improper caching of information on the server side. Notice that the server didn''t die, rather it handled the requests, albiet incorrectly. These flaws are difficult to find, it took a year for this flaw to be found by the hackers, and they were constantly attacking the system for these flaws. If you spend time on any weak link in your system and secure it, this just makes the next weakest link the better target, and so on and so on.
Blizzard learned alot of things from Diablo 1, and so built a much more robust system for Diablo 2, but eventually with enough concerted effort a bug was found and exploited. But it took a year for a major exploitable bug to be found, and it could be years more for the next major bug. It can be said that the system is very secure, so the effort and attention to security will definetly payoff, as shown by their example.
From what i''ve found floating on the net, Diablo 2 uses an almost pure server driven model, where all processing, object generation, etc.. is done on the server. The only thinig the client gets are events, and some state data, but nothing they can modify to any harm to the server side. With the sparsity of information passed to the client, it makes the hacker jobs more difficult. I think this is one of the few ways to make your game secure against hacking, tightly controling the information available to the client, and never asking the client for any initlization or state data which can''t be verified strongly (through encrptyion tech or other proven techniques).
There could be flaws in your game design itself, which can be considered a bug, and exploited as such. There were numerous design flaws in Ultima Online when it was released for example. Those bugs luckly can be fixed, but that may anger a portion of your playerbase who have become dependent upon it. (such as diablos necormancers fix). These bugs are usually found through a long beta.
Good Luck
-ddn
Blizzard learned alot of things from Diablo 1, and so built a much more robust system for Diablo 2, but eventually with enough concerted effort a bug was found and exploited. But it took a year for a major exploitable bug to be found, and it could be years more for the next major bug. It can be said that the system is very secure, so the effort and attention to security will definetly payoff, as shown by their example.
From what i''ve found floating on the net, Diablo 2 uses an almost pure server driven model, where all processing, object generation, etc.. is done on the server. The only thinig the client gets are events, and some state data, but nothing they can modify to any harm to the server side. With the sparsity of information passed to the client, it makes the hacker jobs more difficult. I think this is one of the few ways to make your game secure against hacking, tightly controling the information available to the client, and never asking the client for any initlization or state data which can''t be verified strongly (through encrptyion tech or other proven techniques).
There could be flaws in your game design itself, which can be considered a bug, and exploited as such. There were numerous design flaws in Ultima Online when it was released for example. Those bugs luckly can be fixed, but that may anger a portion of your playerbase who have become dependent upon it. (such as diablos necormancers fix). These bugs are usually found through a long beta.
Good Luck
-ddn
One critical thing to remember about MMORPGs is that it''s a client/server model.
Trust in the server is everything.
Here is a great artical on online cheating.
http://gamasutra.com/features/20000724/pritchard_01.htm
Trust in the server is everything.
Here is a great artical on online cheating.
http://gamasutra.com/features/20000724/pritchard_01.htm
Well, in a MMO game you set up the server yourself, so trust in the server shouldn''t be a problem 
The most important rules:
- Never ever trust the client. If the client says the player moved by x tiles, check whether this doesn''t exceed the speed limit, and so on
- all effective game decision have to be made on the server, i.e. stuff like hit checking, damage, and so on
Now, to improve the gameplay, you''ll eventually have to implement techniques like prediction, and you''re probably already doing this without noticing it.
Imagine a completely server-controlled system:
You''d click your mouse, or hit the arrow keys or whatever to move your character. However, in a server-controlled system you''d have to wait until a packet has been sent to the server, and the appropriate response packet with the updated character position was sent back. This can be very annoying.
Now with prediction, your character moves instantly. But make sure that the movement that was calculated on the client is _not_ the "effective" state change, i.e. if the server thinks the move was illegal it will deny it.
While prediction is a good thing, you have to be careful. In order to be able to predict the game state, the server will have to "disclose" more information about the game state to the client. This might lead to what I refer to as "knowledge cheats", i.e. cheats that aren''t actual violations of the game rules in a way, but give the player knowledge that she shouldn''t have. You have to be careful when balancing between locking away information and prediction.
Another topic are plain bugs, as mentioned before. A very famous problem that appeared many times in the past is the so-called buffer-overflow hack. It works by giving a program more information than expected. When using this in a clever way, you can overwrite global or stack variables in a program, which often allows you to get illegal access. So always check for buffer limits...
cu,
Prefect
---
Sanity is the trademark of a weak mind.
The most important rules:
- Never ever trust the client. If the client says the player moved by x tiles, check whether this doesn''t exceed the speed limit, and so on
- all effective game decision have to be made on the server, i.e. stuff like hit checking, damage, and so on
Now, to improve the gameplay, you''ll eventually have to implement techniques like prediction, and you''re probably already doing this without noticing it.
Imagine a completely server-controlled system:
You''d click your mouse, or hit the arrow keys or whatever to move your character. However, in a server-controlled system you''d have to wait until a packet has been sent to the server, and the appropriate response packet with the updated character position was sent back. This can be very annoying.
Now with prediction, your character moves instantly. But make sure that the movement that was calculated on the client is _not_ the "effective" state change, i.e. if the server thinks the move was illegal it will deny it.
While prediction is a good thing, you have to be careful. In order to be able to predict the game state, the server will have to "disclose" more information about the game state to the client. This might lead to what I refer to as "knowledge cheats", i.e. cheats that aren''t actual violations of the game rules in a way, but give the player knowledge that she shouldn''t have. You have to be careful when balancing between locking away information and prediction.
Another topic are plain bugs, as mentioned before. A very famous problem that appeared many times in the past is the so-called buffer-overflow hack. It works by giving a program more information than expected. When using this in a clever way, you can overwrite global or stack variables in a program, which often allows you to get illegal access. So always check for buffer limits...
cu,
Prefect
---
Sanity is the trademark of a weak mind.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
