A
A
Artyom2011-10-05 14:11:50
Web traffic analysis
Artyom, 2011-10-05 14:11:50

Protection against cheaters in a client-server game

I am developing a simple game with clients for browser and mobile phones and back end. Users will complete quests and receive some bonuses for this, which will then be transmitted to the server via a regular HTTP GET/POST.

Interested in ways on how to protect yourself from cheating. in Q&A there was one similar question and a couple of articles on Habré, but still not quite the same.

Does it make sense to encrypt all requests, or will only the signature be enough? How to sign: flash the key into clients or generate an individual one for each user and transfer it when logging in? In the first case, you can get it by analyzing the binary, in the second case, you can simply intercept it with a sniffer and sign all requests yourself. What other options are there? What to read on this topic?

Answer the question

In order to leave comments, you need to log in

5 answer(s)
R
rPman, 2011-10-05
@rPman

A universal mechanism is code obfuscation on the client side and at least some traffic encryption. This won't cover the possibility of cheating, but it will make it harder/more expensive.
ps personal knowhow, try periodically along with obfuscation to constantly change encryption algorithms, change everything possible, the format of structures that are critical to hacking (game) data. Throw tricks into the code, make special mistakes in the code (for example, the function was called md5, but make a few changes in its code). In general, make life as difficult as possible for those who will decompile and study your code.
A universal, guaranteed alternative is to move all or part of the processing of the game logic to the server. The main disadvantage is a serious increase in network requirements (often unfeasible for mobile devices) and, sometimes, an increase in server load.
ps p2p connection possible? transfer part of the processing (checking the validity / reality of character management events) to a neighboring client (the closest one in terms of the network) - this will help partially offload the servers.
In any case, it will still be unrealistic to protect yourself from action automators, because you can study the image on the screen and simulate button presses. This can be saved only by sane game logic, which does not require stupid monotonous actions from the players ...

K
korvindest, 2011-10-05
@korvindest

rPman said a lot, but as a person who acted as a “cheater” at the request of the developers of one game, I will try to systematize.
1. All checks should be server-side, no matter how deplorably it affects the load, because any JavaScript is cheated in a minute in a modern browser. To reduce the load, checks can and even need to be duplicated on the client, but only duplicated.
2. Operations with purchases, sales and any expenditure of resources must be made atomic (one-time write-off and the appearance of a purchase / building / xsWhat), otherwise you can force a bunch of buildings or units until the funds are written off.
3. All innovations in the game that has already appeared should be logged in more detail at first.
As a rule, the most vile cheats are found in the new features of the game.
4. Create a function that characterizes the total growth rate of a player for a period according to some imperial parameters known to you and carefully monitor the leaders.
5. Create smart tools to automate some of the most routine activities. This will avoid the birth of cheaters among especially lazy developers who decide to play with you.
6. All actions of the player should be accompanied by a session identifier (I understand that I am a CEP here, but still), which should be replaced periodically without requiring re-authorization if the use of an older identifier was not so long ago.
7. Write a set of functions that check for unreal values ​​in the database. For example: in a house where the maximum number of residents is 10 people already live 236. Or the total cost of maintaining the power plant is -135 currency. This will also allow you to detect especially arrogant cheaters.
8. It is worth controlling the speed of appearance of entities. For example, someone might find a way to duplicate an item or unit, but no matter what they get fired on, they will do it on multiple accounts, thus. each individual account will not be included in the sample of cheaters, but a sharp increase in the number of entities of a certain type, as it were, hints.
Well, I'll leave the issue of encryption to people who are more competent in this matter.

A
AlpenColt, 2011-10-05
@AlpenColt

Don't forget the bots. On dtf.ru there was not a bad article on this topic. In general, I recommend climbing this resource, because. you can find a lot of interesting information. I would also like to add that pure encryption will not help, korvindest
mentioned this in passing , but I will clarify. Even without deciphering the request itself, we can understand that certain actions occur when the X packet is sent to the server. And this is easy to use in any automation of an action, including cheating. Therefore, some unique IDs must be mixed into the data, which will be constantly updated.

V
Vitaly Sergeev, 2011-10-05
@enkryptor

Please specify the condition “Users will complete quests and receive some bonuses for this, which will then be transmitted to the server via a regular HTTP GET/POST”. Who will be transferred? Bonuses?
If the quests are run locally on the client, and the finished result is sent via HTTP, then no matter how you defend yourself, cheats cannot be prevented (there are too many attack vectors, it is possible not only to fake traffic, but also interfere with the operation of the game itself). If the passage of quests is monitored from the server side, and only the final interface is given to the player via HTTP, then cheating will not work.

V
Vasya, 2014-04-15
@vasmant

Adblock Plus Android has the ability to filter traffic

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question