Java-Gaming.org Hi !
Featured games (90)
games approved by the League of Dukes
Games in Showcase (744)
Games in Android Showcase (225)
games submitted by our members
Games in WIP (825)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1]
  ignore  |  Print  
  Security in server-based multiplayer games  (Read 922 times)
0 Members and 1 Guest are viewing this topic.
Offline orange451

JGO Kernel


Medals: 347
Projects: 6
Exp: 6 years


Your face. Your ass. What's the difference?


« Posted 2017-07-22 23:00:18 »

In my game in the WIP section, First Recon, I host a server and any client can connect to it. It's a fairly straight forward system.

I was wondering about how to stop clients that are not real from joining the server.

Currently I do a few sort of handshake checks. When the client connects, he sends his clients version number (major.minor.patch) in the form of a string. Then he sends his username. If that information is received in under 2 seconds of the established connection, then the client is allowed into the server and will spawn on everyone elses screen.

Since I released my game I've noticed on more than a few occasions people creating sockets manually to my server, or creating a socket and supplying incorrect data (resulting in a DC of the socket).

I some-what planned for this, and coded these things:

1) The server asks the client to hash a bunch of variables to in integer and send to the server every couple of seconds. If this data is not sent, or is incorrect it results in a DC.

2) The server requires you to send specific packets at a specific frequency (like movement). If you send outside of this frequency range, it results in a DC.

Is this enough of an initial security? I've never really dove into these kinds of topics. I know there isn't a playerbase for my game, and it shouldn't "matter" at the moment. However, I am still curious about the topic.

After I integrate an account system into the game, I'll add an additional layer of security using a login-salt.

First Recon. A java made online first person shooter!
Offline KevinWorkman

« JGO Plugged Duke »


Medals: 272
Projects: 12
Exp: 12 years


HappyCoding.io - Coding Tutorials!


« Reply #1 - Posted 2017-07-23 00:45:03 »

I don't see anything that a determined hacker couldn't reverse engineer by simply looking at your code (which they can get, even if you're doing things like obfuscating) and what's sent over their network.

Can I take a step back and ask why you want to prevent clients from connecting to your server? You should be validating inputs on the server anyway, to prevent clients from doing anything they're not allowed to do.

Anything done on the client side is exploitable by the user. There is no 100% fool-proof way to prevent clients from doing whatever they want. If you really want something to be secure, you have to do it on the server.

HappyCoding.io - Coding Tutorials!
Happy Coding forum - Come say hello!
Offline orange451

JGO Kernel


Medals: 347
Projects: 6
Exp: 6 years


Your face. Your ass. What's the difference?


« Reply #2 - Posted 2017-07-23 01:52:42 »

No I know that someone with the client can reverse engineer it. That's not what I'm talking about. I'm simply wondering if there are any articles out there that explore topics like these.

Everything is already validated on the server (position, shooting, health, ammo, ect).

I know there's no way to foolproof an online game. I just want to strengthen it!

First Recon. A java made online first person shooter!
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline KevinWorkman

« JGO Plugged Duke »


Medals: 272
Projects: 12
Exp: 12 years


HappyCoding.io - Coding Tutorials!


« Reply #3 - Posted 2017-07-23 02:10:22 »

No I know that someone with the client can reverse engineer it.

My point is that all of the "security" you mentioned (hashing variables, sending packets) can be reverse-engineered, so they aren't really providing much security.

HappyCoding.io - Coding Tutorials!
Happy Coding forum - Come say hello!
Offline orange451

JGO Kernel


Medals: 347
Projects: 6
Exp: 6 years


Your face. Your ass. What's the difference?


« Reply #4 - Posted 2017-07-23 02:21:46 »

Well the variable hash is in case someone uses Cheat Engine to manipulate movement speed, jump height, friction, ect.
That's the only reason it exists; for that specific case.

First Recon. A java made online first person shooter!
Offline VaTTeRGeR
« Reply #5 - Posted 2017-07-23 08:51:00 »

Quote
The server asks the client to hash a bunch of variables to in integer and send to the server every couple of seconds. If this data is not sent, or is incorrect it results in a DC.
Letting the client calculate hash values is indeed very specific, your first line of defense should be strict plausibility checks on the server. You'll catch cheat engine kiddies anyway if your (mentioned) plausibility checks on the server are any good.

You could go as far as the source engine does and run (almost) the entire simulation on the server and just let the clients pretend and correct.
Or have a nice light server architecture and easy programming instead of wasting time on security while there aren't even players around.

Another important thing is vote-kick(with short ban) and admin tools, so that your player base can weed out hackers themselves.
Offline KaiHH

JGO Kernel


Medals: 486



« Reply #6 - Posted 2017-07-23 09:04:04 »

Two advices:
1. People should use Google more  Wink , for example this great answer (and following) sums up everything: https://gamedev.stackexchange.com/questions/33922/prevent-multiplayer-cheating#answer-33924
2. NEVER rely on "security through obscurity" Pointing (please also google that term up)  Smiley
Pages: [1]
  ignore  |  Print  
 
 

 
Ecumene (145 views)
2017-09-30 02:57:34

theagentd (213 views)
2017-09-26 18:23:31

cybrmynd (292 views)
2017-08-02 12:28:51

cybrmynd (284 views)
2017-08-02 12:19:43

cybrmynd (294 views)
2017-08-02 12:18:09

Sralse (287 views)
2017-07-25 17:13:48

Archive (966 views)
2017-04-27 17:45:51

buddyBro (1092 views)
2017-04-05 03:38:00

CopyableCougar4 (1663 views)
2017-03-24 15:39:42

theagentd (1425 views)
2017-03-24 15:32:08
Java Gaming Resources
by philfrei
2017-12-05 19:38:37

Java Gaming Resources
by philfrei
2017-12-05 19:37:39

Java Gaming Resources
by philfrei
2017-12-05 19:36:10

Java Gaming Resources
by philfrei
2017-12-05 19:33:10

List of Learning Resources
by elect
2017-03-13 14:05:44

List of Learning Resources
by elect
2017-03-13 14:04:45

SF/X Libraries
by philfrei
2017-03-02 08:45:19

SF/X Libraries
by philfrei
2017-03-02 08:44:05
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!