• Announcements

    • khawk

      Download the Game Design and Indie Game Marketing Freebook   07/19/17

      GameDev.net and CRC Press have teamed up to bring a free ebook of content curated from top titles published by CRC Press. The freebook, Practices of Game Design & Indie Game Marketing, includes chapters from The Art of Game Design: A Book of Lenses, A Practical Guide to Indie Game Marketing, and An Architectural Approach to Level Design. The GameDev.net FreeBook is relevant to game designers, developers, and those interested in learning more about the challenges in game development. We know game development can be a tough discipline and business, so we picked several chapters from CRC Press titles that we thought would be of interest to you, the GameDev.net audience, in your journey to design, develop, and market your next game. The free ebook is available through CRC Press by clicking here. The Curated Books The Art of Game Design: A Book of Lenses, Second Edition, by Jesse Schell Presents 100+ sets of questions, or different lenses, for viewing a game’s design, encompassing diverse fields such as psychology, architecture, music, film, software engineering, theme park design, mathematics, anthropology, and more. Written by one of the world's top game designers, this book describes the deepest and most fundamental principles of game design, demonstrating how tactics used in board, card, and athletic games also work in video games. It provides practical instruction on creating world-class games that will be played again and again. View it here. A Practical Guide to Indie Game Marketing, by Joel Dreskin Marketing is an essential but too frequently overlooked or minimized component of the release plan for indie games. A Practical Guide to Indie Game Marketing provides you with the tools needed to build visibility and sell your indie games. With special focus on those developers with small budgets and limited staff and resources, this book is packed with tangible recommendations and techniques that you can put to use immediately. As a seasoned professional of the indie game arena, author Joel Dreskin gives you insight into practical, real-world experiences of marketing numerous successful games and also provides stories of the failures. View it here. An Architectural Approach to Level Design This is one of the first books to integrate architectural and spatial design theory with the field of level design. The book presents architectural techniques and theories for level designers to use in their own work. It connects architecture and level design in different ways that address the practical elements of how designers construct space and the experiential elements of how and why humans interact with this space. Throughout the text, readers learn skills for spatial layout, evoking emotion through gamespaces, and creating better levels through architectural theory. View it here. Learn more and download the ebook by clicking here. Did you know? GameDev.net and CRC Press also recently teamed up to bring GDNet+ Members up to a 20% discount on all CRC Press books. Learn more about this and other benefits here.
Sign in to follow this  
Followers 0
Florian22222

Game Server security

11 posts in this topic

Hello guys!

 

Right now I am developing a game consisting of a server made in C# .NET with database and a client for mobile devices in Unity3D.

I am using my own networking library with TCP.

 

The problem is: I am really afraid of people exploiting my networking code. So I know I can solve problems with the client by testing, testing, testing.

But what if someone writes their own client and doesnt keep my protocol? Right now I have a protocol which contains ( length of message | type of message | data ). What should I do if someone sends a request with a wrong length? Should I catch this case and just close the connection?

 

I think there are many cases my game server could crash. Is there any way of making sure someone can't crash my game server?

Maybe you guys can help me or point me to a paper which has this issue as a subject.

 

Thanks in advance!

0

Share this post


Link to post
Share on other sites

Check the rate of change of consecutive values received from the client.

 

Which values are you talking about?

0

Share this post


Link to post
Share on other sites

Which values are you talking about?

Assuming UDP networking, any sequence ids you are using to identify packets. It's ok to have a packet that is, say, 1-50 packets out of sequence, but if someone hands you a packet with a sequence number that is hundreds out, either someone is mucking with the packets, or you are experiencing massive packet loss, and might as well toss the client anyway.

You can of course also extend this to numeric values that change over time within the payload of the packet. But in general, I'd say that the client shouldn't be authoritative for any continuous values...
0

Share this post


Link to post
Share on other sites

You can of course also extend this to numeric values that change over time within the payload of the packet. But in general, I'd say that the client shouldn't be authoritative for any continuous values...

I would argue that clients are authoritative over the mouse position/movement, and mouse movement translates into camera/aim orientation (assuming FPS-style controls) and thus the client is authoritative for aim. While this makes aimbots easier to write, it's a necessary trade-off (and even without it, aimbots are entirely possible.)
1

Share this post


Link to post
Share on other sites

Just create a series of checks which may reveal that the client is not a legitimate client or hacked client (i.e. detecting if the client is flying on the map - and not allowing that). Once that happens just remove them from the client list.

 

Making the connection-establish code as advanced as possible to verify the client can almost always be reverse engineered, so I wouldn't worry about that to much.

0

Share this post


Link to post
Share on other sites

The problem is: I am really afraid of people exploiting my networking code. So I know I can solve problems with the client by testing, testing, testing.


When you start talking about exploits and security, you need to change your mindset into one of risk management and risk mitigation.

The two big questions are: Who are you afraid of? What are the costs of a successful exploit?

A small market hobby game really doesn't need to be worried about major groups. Maybe a few programmer-types will poke and prod at it a little bit. Maybe some people will attach a debugger or a network probe. This is very different from a mainstream game that can expect major attacks from organized attackers for an extended period of time.

You need to figure out the maximum costs of an exploit. Would a successful attack take down one game, or an entire server? Would a successful attack have any high profile targets, such as a public leaderboard that they want to climb, or externally-visible achievements? Does it take down financial information, or even allow an attacker to make real cash transactions or expose financial information?



If you are a small project with a low likelyhood of skilled attackers, and the reasonable risk is that an attacker's game will crash and possibly a server needs to be restarted, that is one thing.

If you have a low likelyhood of skilled attackers, and your biggest risk is that your accounts database could be corrupted or damaged but otherwise individual games would be unchanged, that is another.

If you are a larger project with a high likelyhood of skilled attackers, with risks of highly public exploits including potential financial concerns, that is something altogether different.


Rolling back a leaderboard and tracking down the bad accounts is easy.
Rolling back a server's account database to a known good state is hard, but possible.
Having millions of customer financial records exported is impossible to roll back.

Spend your resources based on a careful risk assessment. If the stakes are low, it probably isn't worth much effort.
2

Share this post


Link to post
Share on other sites

Thank you for all your replies.

 

So this game is a MMO. Its not exactly a mainstream game, but players will access one server. I dont trust the client so far as that he cannot really cheat in my game or so.

The thing I am really worried about is that someone sends a bad package and this raises an exception on the server(ArrayOutOfBounds, InvalidMemory etc.).

 

I don't need to worry about really proffesional attackers, but if someone attempts to hack the server and the server crashes, all players will be kicked and this will be really annoying for them. 

 

So my game is a combination of turnbased combat and trading card games for mobile plattforms. How likely is this to be hacked if it reaches 1 million downloads(really optimistic thinking, but for security issues the worst case)?

 

I think I'll think my networking lib through and check on how it could be hacked and catch those cases. Then it'll hopefully be enough.

Edited by IceBreaker23
0

Share this post


Link to post
Share on other sites

Thank you for your answer Kylotan!

 

I did all the things you said. All I wanted was a list as you gave it to me :)

I handle exceptions with try-catch block and in the catch block it writes the exception to debug log.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0