this post was submitted on 10 Apr 2025
17 points (90.5% liked)

Game Development

4071 readers
17 users here now

Welcome to the game development community! This is a place to talk about and post anything related to the field of game development.

Community Wiki

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
17
Is serverside anti-cheat too difficult? (programming.dev)
submitted 2 days ago by [email protected] to c/[email protected]
13 comments fedilink hide all child comments
 

Why do so many games rely on client-side anti cheat and stuff like kernel level anti-cheat?

Anti Commercial-AI license

top 13 comments
sorted by: hot top controversial new old
[–] [email protected] 4 points 1 day ago

All these people explaining that server side anti cheat is "easier". Let me explain to you the real reason why games use client side anti cheat:

  1. It used to be, gamers could self host servers. These servers, would almost always have an active moderator who would instantly ban any cheater. I've watched quite a few cheaters get instabanned on games like this.
  2. But then, companies decided to deny gamers the control and ability to self host their own server which they could moderate. They decided to force everyone to play on one server — their server.
  3. However, they quickly realized that they were unable, or unwilling to spend money on moderators to ensure a high quality experience.
  4. Ergo — client side anti cheat. In addition to continuing their control over servers, now they also gain a degree of control over clients.

I've heard one rebuttal to this: Not all cheaters can be spotted by a human, sometimes they pretend to be a really good player.

To be blunt: I don't really care. I don't really understand why people care about that kind of cheater either. The point of kicking cheaters is to keep the game fun by not having everybody get crushed. But if the cheater is just like another good player, then they're just another good player to me.

I used to play this browser game, https://krunker.io/. It's a browser based FPS game, and due to being browser based it was really, really easy to write cheats. The devs gave up after like a month, and simply stopped updating the anti-cheat, opting for a different system instead — deputization. Players would become "krunker police", and while playing, if a cheater was reported, then they would anonymously, and silently watch, and then take action.

It worked pretty well, then krunker got bought by a mobile gaming company and the game lost a lot of members. But I think the original io browser game is still under full creative control by the devs though, it's just the discord, facebook, and mobile versions of the game that are enshittified.

Anyway, when I was playing a few months ago, I encountered a cheater in one of our lobbies. They were trolling, while advertising cheats. But there were like 5 good players in the lobby, it was a cracked lobby, and we stomped them. They couldn't even make it to top 4/8 people.

Imagine aimbotting, advertising those aimbots, and still getting stomped. We called them out on that, and they just left. And that moment was a shit ton of fun.

But anyway, in the comments, I see some of this same sentiment that companies parrot: That cheaters are inherently bad, and need to be stopped because cheating is bad. This frustrates me because cheaters are not the only entity which can make a game unfun, there are also other toxic elements which should be moderated, but are often not, because of the focus on cheaters.

Play with cheaters, or play without DRM/Kernel level anti-cheat, pick one

Like this snipped from one of the comments below.

But people do cheat with DRM/Kernel level anti-cheat? I can think of 3 ways to do it off the top of my head:

  • Undetected virtual machine
  • Physical device that uses DMA to modify memory
  • Editing of device drivers that have DMA access

And I especially hate this particular dichotomy because, by assuming DRM/Kernel level anti-cheat is invincible, it creates a sort of "blindspot", where when someone does cheat, they may not get noticed because it's assumed they are unable to cheat in the game, which is not the case.

[–] [email protected] 15 points 2 days ago (1 children)

Server side anticheat needs to be tailer-made for every game; you need to have logic that understands how your game plays and what conditions mark a cheater.

With the kernel level client anticheat, you only need to verify one thing: that the user hasn't modified the game files. It's not 100% effective, but it's effective enough to keep script kiddies away.

[–] [email protected] 4 points 2 days ago

Isn't kernel level anticheat also looking for things like programs that do screen capture and programmatic input? Your assertion that server side anticheat must be implemented for every game is correct but I suspect you're oversimplifying what client side anti cheats do.

[–] [email protected] 5 points 2 days ago (2 children)

Server side anti-cheat is vastly superior to client side anti-cheat in many ways. It completely negates most cheats in the first place. There are some problems with server side anti-cheat that prevent it from being a viable solution on its own:

  1. The game needs to be programmed with Server Authentication in mind from the very beginning. Refactoring a game to move authentiation from client to server would take a lot of time. Client side anti-cheat is cheaper and easier to add later on to a game.

  2. Not all cheats are detected. AimBot, XRay Vision, ESP, are the kinds of cheats that Server Authentication cannot reliably detect, because the server cannot possibly determine the difference between a really good player or a cheater in just a single game. Sometimes automated systems get it wrong.

  3. Server Authentication feels bad for players with high ping and packet loss. IMO, this isnt a problem and players should play on low ping servers anyway, but programming the client to predict and do the math the server would do (and the server packets overwrite the client data when it receives the server data) makes the game feel more responsive. The issue is that this can lead to a rubberbanding effect when the result of the server is finally received by the client and they get teleported to a potentially different place or just die immediately because someone with lower ping got to them before the server packets did.

The proper solution is to use Server Authentication, Client Prediction, AND client side anti-cheat. This would eliminate nearly all cheating in the game. Of course, this removes a lot of functionality from the game client and players would see this as some form of invasive DRM.

Play with cheaters, or play without DRM/Kernel level anti-cheat, pick one. Because you unfortunately cannot have both.

[–] [email protected] 3 points 1 day ago (1 children)

I'm not sure you can just have Kernel anti-cheat. There are still bypasses for it, just more sophisticated. At the end of the day cheating is inevitable, it's how invasive do you want your anti-cheat to be.

[–] [email protected] 1 points 1 day ago (1 children)

No, and I said (perhaps I didn't make it clear or I may be hallucinating lol), client side anti-cheat by itself is equally as ineffective as server side anti-cheat by itself at stopping cheating, because they both only catch some cheats. They both need to be used together in order to ensure a nearly cheatproof game. (Ignoring Walled Gardens like new, unjailbroken console environments).

Anti-cheats need Kernel access so that a cheater cannot try to disable or bypass the anticheat easily. I mean, nothing with a point of entry is totally secure, but with a good enough deterrent people that want to get in will think it is totally secure or not worth their time. At that point, with so many deterrents, developers of the anti-cheat software should be able to determine how a cheater that gets around their software does it and devise a patch for the vulnerability.

Dealing with cheating is always reactionary. You cannot preemptively ban someone for cheating, you have to actually wait for them to cheat. Kinda like the movie Minority Report (greata movie). But to make it a lot easier for game developers, setting up as many guard rails as possible help them to focus more time working on the actual game instead of dealing with cheaters. Its a necessary evil, and the consumer should decide for themselves if they want to install that on their system or not.

I do think that all anti-cheat software should only actually run when the game that needs it is running. I also think that games should have a label that say, vaguely, how invasive the anti-cheat is. Knowledge is most of the battle against cheaters, so telling them the exact anti-cheat methods could be detrimental, but at the same time consumers have the right to be informed about the kind of software dependencies a game might have.

[–] [email protected] 2 points 1 day ago

I'm still not convinced it's possible to have a cheat proof environment. Kernel anti-cheat is not fool proof, it's just more annoying to deal with than user space anti-cheat. Yes, pairing it with server side stuff will make it even more difficult but if one of the anti-cheats can be successfully bypassed then some amount of cheating is possible and anything running on a user's machine is susceptible to being bypassed because the user controls the environment. Additionally I'm in favor in general of kernel AC being outright banned by OSes. It's honestly far too invasive and it's a race to the bottom the game devs won't win if a cheater is determined enough. You say you're a fan of it only running as needed but it's in your kernel, it's got God access, 1 micro second is too long to allow every game developer on the planet unrestricted access to my computer. Ultimately though client side AC is like DRM, when you expect the software on the user's computer to enforce your rules you will be sorely disappointed. It will raise the bar, it will make some people give up, but it won't prevent it.

[–] [email protected] 3 points 2 days ago (1 children)

Play with cheaters, or play without DRM/Kernel level anti-cheat, pick one. Because you unfortunately cannot have both.

The answer is to go back to having user run and moderated servers instead of having giant centralized player pools with nothing but automatic moderation. Not everything has or can be sufficiently solved soley by technology.

[–] [email protected] 2 points 2 days ago* (last edited 2 days ago)

This does not really solve the problem. Lets take Battlefield 4 as an example, because while I would like to use Operation Harsh Doorstop as an example since its more true to your idea, it would be morbidly unfair to your idea (negatively).

BF4 allows users to "rent" a server and run as if it were their own. Aside from the server machine being in the posession and ownership of EA, BF4 private server admins can implement their own server rules, kick and ban people, etc. They also have the added benefit of automatically populating in all client server browsers, as they all connect to the same server used for account storage and matchmaking. Plus, EA handles all of the server maintenance. Pretty sweet deal.

BF4 servers currently are effected by:

  • Low player population, except at peak times, weekends and holidays
  • Rampant, blatant cheating (like, literally teleporting flying characters)
  • Botted fake player counts in the server browser (server says 64/64 players, but there are only actually like 8 real players in the server and the rest are filled by bots that get replaced by real people when they join but those bots never spawn into the game)
  • Admins power tripping and kicking whoever they feel like and players that beat them in the game

Most of the servers are like this. The official servers, nobody joins those. Literally nobody. Private servers are like, 3 in 4 players are cheating. There is 1, I kid you not, 1 good server that is ran well that kicks cheaters quickly. And the queue wait time to enter that server when more than 64 noncheater players are playing is atrocious. I am not joking when I say I once waited all day to join that server just for my game to crash once I got in. Nobody wants to have that kind of experience. Especially not after a long day at work and they just want to sit down for an hour or two to have fun in a game they like playing.

Not everything can be automated, but that does not mean that only human moderation is any better.

[–] [email protected] 6 points 2 days ago

Client side is cheaper. Vastly cheaper
Server side, it needs to essentially run the same game client for every single player to ensure that what the client is telling the server is actually possible, and to cull unnecessary detail.
Whereas transmitting everyone's position to everyone allows the client to do their own culling (or not, in the case of a hacked/cheat client).

[–] [email protected] 3 points 2 days ago

Not at all, you should never trust the client as they can spoof. But you can't install malware or harvest data as effectively from the server, so shady companies generally don't try it that way.

[–] [email protected] -4 points 2 days ago (1 children)

Not so much difficult it's just not as effective. As the cheats are happening on the client side, they watch the client side.

The whole kernel level thing is so the anti cheat can run when windows starts while the cheat program runs when the user starts. This is a massively oversimplification though.

[–] [email protected] 1 points 2 days ago

This is a massively oversimplification though.

It's so oversimplified that you got the whole thing wrong.