Why is it not more common to implement anti-cheat on the server instead of the client? Is that not more secure? Couldn’t the server just check what vision a player should have and not provide any other information to prevent wallhacks or maphacks? Or check how fast it is possible to move to prevent speedhacks? Aimbot is a bit harder to detect I guess but what about the other ones?
Doing anti cheat on the server can only check for symptoms of cheating.
Doing anti cheat on the client can check for tools, attack vectors and the actual method of cheating.
Every time you double your servers’ cpu usage, you’ll double your server cost as well. If it were cheap I bet more companies would actually consider doing this.
The ultimate server-side anti cheat would be running the online game like Stadia where the players basically stream the game, which is very expensive to run today but might be the norm in the far future.
God what a dystopian future. But you may be right, even for single player games.
Couldn’t the server just check what vision a player should have and not provide any other information to prevent wallhacks or maphacks?
Definitely not how that works. The server has no idea how to tell how the GPU on the client-side is rendering anything. The server is just doing server things, which definitely doesn’t include data on the “vision” of each player. There’s a lot less data being transferred than you assume here.
All of these are way easier to detect client-side, because client-side you can actually check the code that is running.
A server that checked all the code that is running would be a very, very slow game. Like imagine a chess game where it took five minutes for a move to register after making a move. Servers focus mostly on “player state” like, where are they, what direction are they looking, what direction are they moving, what buttons they are pressing, and a lot less on checking the code of the remote player. Once again, because checking literally every players code remotely would slow everything way the fuck down.
I remember a long time ago it was on the server side that the hits were registered not on the client side. It had a funny feeling because you would have to shoot where the target was going towards instead of shooting where the target was. And that was done with 24 players in a server
This is still the case for most games. Games have just gotten better lag compensation methods.
It’s an interesting problem. If you render everything server side and just deliver a video stream to the client, like a GeForce now only tournament. That eliminates a lot of cheating vectors.
The issue then becomes ensuring you have equal latency to all the players. So no one person has an advantage. But you could add artificial latency in that circumstance.
There’s no getting away from the fact that in a distributed network, ordering of events and ensuring simultaneousness is difficult. Peakers advantage is a real thing.
Server side rendering and streaming, advantages: people only see what they’re supposed to see, the server has perfect registration of all activity.
Disadvantages: more latency for everyone, AI auto aiming is still an issue. Requires excellent networking for everyone
They usually use both. Client side and server side detection together.
The problem isn’t the check itself usually, but rather latency. If you shoot a player on your screen you want immediate feedback (client side), instead of waiting for a roundtrip to the server until the blood spatters.
There have been shooters where the server decides if a bullet lands. So on your screen you hit the player and then they suddenly survived. So most shooters switched to: If the client thinks it hit, it hit. Which does lead on the receiving end to running behind a wall and still dying. Overall it feels better than the alternative though.
The whole topic is pretty much game networking, it’s a balance between doing it correctly (server side, slow) and faking to get it close enough (client side, immediate, easier to cheat, unfair if the player is laggy).
Of course there are some server checks that are always easy: For example if a player teleports or moves around the map faster than possible? You can flag them for review or if it happens too often kick/ban them. As long as you’re super careful about automatic bans (bugs exist).
Because the client side is the side where cheating happens.
Sure, but client side is also owned and run by the cheater. Do you really trust them to always run the anti-cheat honestly?
Anti-cheats are typically designed so that the user can’t actually modify them at all. They install themselves deep into your system, sometimes literally in the form of a rootkit which basically runs parts of it completely invisibly from your OS, entirely.
Anti-cheats are typically designed so that the user can’t actually modify them at all.
The problem is that these measures can be bypassed
https://guidedhacking.com/threads/how-to-bypass-anticheat-start-here-beginners-guide.9882/
But it is complicated enough that most people don’t bother with it.
So is cheating, yet we still have cheaters.
Of course, which is why all cheating has been eradicated forever. Certainly no game with a rootkit anti-cheat has ever had a problem with cheating.
You can’t check the source of cheating on the server side, as it is run on the client side.
You can’t reliably check the source client side either, because the client side self-reports, and is where the cheat runs.
That’s a statement in the same ballpark as “people who get vaccinated can still get COVID, so why get vaccinated at all”.
Seriously, where do you even come up with that level of daft argument.
One of the most basic security principles is literally “never trust the client side.”
Nobody is making new COVID versions to get around the vaccine. COVID vaccines don’t create a backdoor into your immune system that make you weaker against other viruses. The COVID vaccine actually works. That is a stupid analogy.
More invasive anti-cheats cause a brief dip in cheating, and then cheaters spread around a way to get around the new anti-cheat and everything immediately goes back to how it was. As long as the anti-cheat is being run on the cheater’s computer, it will be bypassed and made irrelevant. People’s desire to see something, anything done about a problem no matter how terrible the solution sometimes just makes things worse without even helping the problem, and I’m not okay with that.
Nature itself is literally making new covid versions.
And our immune system detects and fights most of them similar to how virus scanners can detect a virus it doesn’t know. By detecting similarities.
If a new variant comes along that is so different from the OG virus that your immune system doesn’t know what to do with it, they develop a new vaccine, which you have “install on the client side” by getting the vaccine, to protect you from getting sick from it.
If new methods are developed to cheat, the cheat engine gets updated to detect those too.
As for “brief dip”, that’s the only thing needed for a product launch.
If a game is rife with cheating day one, it’ll fail.
If it only gets rife with cheating when people are already invested in it, the cheating is much lower priority.
That doesn’t change that fact that at the server side, you’re unable to detect most prevalent forms of cheating.
Wallhacks and aimbots are nigh impossible to detect on the server side.
Cool, keep taking your horse dewormer. I’ll be over here not installing rootkits made by companies with terrible security practices.
Server receives “1” for “hit registered” as sent by “client”. As a client I can shove 1s all day long, how will it safeguard that?
Server determines hit received. Client only sends shot fired and direction and such. Server could also calculate if shot and direction make sense based on location, last shot fired, etc.
I’m a dev but not a game dev so I have no idea if this is doable or too much for the server to handle.
There probably is a reason anti cheat on the client is still needed. On the other hand, isn’t this mostly to prevent wallhacking and such? That’s probably the hardest cheat to detect server side if it’s even possible at all.
Depends what you mean by wall hacking I guess. Shooting through a wall should not be possible by your proposed method, and it could be expanded to prevent the player moving through walls also.
Seeing through walls though is a different matter. How does the server know if I have rendered an opaque wall or not?
Personally I see anticheat as a problem to be solved socially, not technically. Just let people vote to kick, and anyone who is generally accepted to be hacking will be kicked. No need for invasive Spyware.
Just let people vote to kick
This system is easy to abuse, and historically when implemented will be abused.
I just want to say that the term ‘rootkit’ has been twisted out of shape when referring to anti-cheat. Rootkits are malicious. Software using low level privileges that require the user’s consent to a EULA, and which is designed to be uninstallable by the user I would not consider a rootkit, just invasive.