Excellent defense: “You sent me the packets revealing where all the other players were. If you didn’t want me to know they were behind walls why did you tell me precisely where they were?”
Yeah, doing such checks on the server side of things is more computationally intensive but it would solve that problem entirely and you wouldn’t need client-side anti-cheat bullshit anymore.
The first rule of network programming is never trust the client. How does anti-cheat software work? By trusting the client.
It is impossible to do these types of checks on serverside. Your PC needs to know where to render the enemy character ahead of time, otherwise they’ll pop into existence after you are dead. Bonus points for packet loss. Programming games isn’t the same as validating input from some rando trying to log in on a site, it’s an unsolved problem that all games have an issue with - from FPS like CS, RTS like Starcraft 2, to mobas like League.
It is impossible to do these types of checks on serverside.
If the client can make a determination as to whether or not to draw a player the server can too (and refuse to send those packets). It’s not impossible, just more computationally intensive and thus, more expensive (on the server side of things).
Naive way: Render exactly what the player will see on the server. Do this for every client and only send the data to the client if the another player enters the view.
More intelligent way: Keep track of the position and field of view of each player and do a single calculation to determine if that player can see another. If not, don’t send the packets. It will require some predictions but that’s no different than regular, modern game-specific network programming which already has to do that.
Servers these days have zillions of cores. It really isn’t too much to ask to dedicate a thread per player to do this kind of thing. It just means that instead of one server being able to handle say, 500 simultaneous players you can only handle say, 100-250 (depending on the demands of your game).
If your players host their own servers then it’s really no big deal at all! Plenty of cores for their personal matches with their friends or randos from the Internet. If you’re a big company with a game like Fortnite then it’s a huge burden compared to the low-effort system currently in place.
Why impossible? Server-authoritative programming is common in PVP gaming, even high-performance recent games. I don’t think anyone is suggesting lazily loading chunks of player data like wandering into a new chunk in Minecraft. Just write efficient, clean code that anonymizes or encrypts player data so it can’t be read client-side.
The issue here was that fortnite broadcasts locations of enemy players in packet data, not that it trusts clients “with anything”… where did you get that from?
Work arounds are for devs to solve, not schmucks on lemmy. CS:GO used to use something similar to occlusion culling to prevent this exact problem. Don’t send the client all of the enemy locations/data unless the client is within roughly the right distance/sight to see that enemy. This is not a full fix, but dramatically nerfs wall hacking.
I’ve seen community plugins for TF2 and other source engine games that will add “ghost” players. Generate ai characters, turn them invisible, and send their data to clients. If someone keeps shooting at the ghosts, they can easily get caught and banned.
There are entire industries dedicated to finding solutions to this problem, check out this research paper about this exact subject if you want.
That’s an excellent issue for you to research on your own time! If you know anyone on the OverWatch development team you could ask for their input as well. Please report back to this thread with your findings, we’re all very interested in the results.
Excellent defense: “You sent me the packets revealing where all the other players were. If you didn’t want me to know they were behind walls why did you tell me precisely where they were?”
Yeah, doing such checks on the server side of things is more computationally intensive but it would solve that problem entirely and you wouldn’t need client-side anti-cheat bullshit anymore.
The first rule of network programming is never trust the client. How does anti-cheat software work? By trusting the client.
It is impossible to do these types of checks on serverside. Your PC needs to know where to render the enemy character ahead of time, otherwise they’ll pop into existence after you are dead. Bonus points for packet loss. Programming games isn’t the same as validating input from some rando trying to log in on a site, it’s an unsolved problem that all games have an issue with - from FPS like CS, RTS like Starcraft 2, to mobas like League.
Immortal gates of pyre does it, and it’s just sc2 but better.
If the client can make a determination as to whether or not to draw a player the server can too (and refuse to send those packets). It’s not impossible, just more computationally intensive and thus, more expensive (on the server side of things).
Naive way: Render exactly what the player will see on the server. Do this for every client and only send the data to the client if the another player enters the view.
More intelligent way: Keep track of the position and field of view of each player and do a single calculation to determine if that player can see another. If not, don’t send the packets. It will require some predictions but that’s no different than regular, modern game-specific network programming which already has to do that.
Servers these days have zillions of cores. It really isn’t too much to ask to dedicate a thread per player to do this kind of thing. It just means that instead of one server being able to handle say, 500 simultaneous players you can only handle say, 100-250 (depending on the demands of your game).
If your players host their own servers then it’s really no big deal at all! Plenty of cores for their personal matches with their friends or randos from the Internet. If you’re a big company with a game like Fortnite then it’s a huge burden compared to the low-effort system currently in place.
Why impossible? Server-authoritative programming is common in PVP gaming, even high-performance recent games. I don’t think anyone is suggesting lazily loading chunks of player data like wandering into a new chunk in Minecraft. Just write efficient, clean code that anonymizes or encrypts player data so it can’t be read client-side.
Okay, now the player data is encrypted and unreadable by clients.
How will the client display where the players are without data…
Why are you bothering to spend cycles sending this useless, encrypted data…
If you mean to decrypt the player data once it reaches the client, then you have solved no issues…
Show me one multiplayer fps that does not trust the client with anything.
The issue here was that fortnite broadcasts locations of enemy players in packet data, not that it trusts clients “with anything”… where did you get that from?
how else should it inform the client of enemy players
Work arounds are for devs to solve, not schmucks on lemmy. CS:GO used to use something similar to occlusion culling to prevent this exact problem. Don’t send the client all of the enemy locations/data unless the client is within roughly the right distance/sight to see that enemy. This is not a full fix, but dramatically nerfs wall hacking.
I’ve seen community plugins for TF2 and other source engine games that will add “ghost” players. Generate ai characters, turn them invisible, and send their data to clients. If someone keeps shooting at the ghosts, they can easily get caught and banned.
There are entire industries dedicated to finding solutions to this problem, check out this research paper about this exact subject if you want.
That’s an excellent issue for you to research on your own time! If you know anyone on the OverWatch development team you could ask for their input as well. Please report back to this thread with your findings, we’re all very interested in the results.
awful
Sorry to hear that. Best of luck with your future projects though.
“Oh no, we don’t need to worry about any sanity checks in the database, that’s all taken care of in the javascript frontend”
I didn’t come up with that, but it’s the same logic. Actually expressing something like it in a professional setting could get you fired.
Not in the games industry, though.
Because there is a reason nobody does that serverside. Programming games and programming a service are two different beasts.
Most other industries don’t expect millisecond response times.
You take longer than that in an action FPS game, your game is fundamentally broken and unplayable.