Why is anti-cheat always client-side?

Submitted ⁨⁨11⁩ ⁨months⁩ ago⁩ by ⁨Cralder@feddit.nu⁩ to ⁨nostupidquestions@lemmy.world⁩

Why is it not more common to implement anti-cheat on the server instead of the client? Is that not more secure? Couldn’t the server just check what vision a player should have and not provide any other information to prevent wallhacks or maphacks? Or check how fast it is possible to move to prevent speedhacks? Aimbot is a bit harder to detect I guess but what about the other ones?

source

Comments

Sort:hotnew top

Endorkend@kbin.social ⁨11⁩ ⁨months⁩ ago
Doing anti cheat on the server can only check for symptoms of cheating.

Doing anti cheat on the client can check for tools, attack vectors and the actual method of cheating.

source
- LordOfTheChia@lemmy.world ⁨11⁩ ⁨months⁩ ago
  Also, server side anti-cheat computation costs the gaming company money.
  
  Though you’d think some forms of cheating would be computationally inexpensive to detect, like teleporting and such.
  
  source
redcalcium@lemmy.institute ⁨11⁩ ⁨months⁩ ago
Every time you double your servers’ cpu usage, you’ll double your server cost as well. If it were cheap I bet more companies would actually consider doing this.

The ultimate server-side anti cheat would be running the online game like Stadia where the players basically stream the game, which is very expensive to run today but might be the norm in the far future.

source
- Heavybell@lemmy.world ⁨11⁩ ⁨months⁩ ago
  God what a dystopian future. But you may be right, even for single player games.
  
  source
  - EvolvedTurtle@lemmy.world ⁨11⁩ ⁨months⁩ ago
    Anti cheat for single player games is a silly concept that game companies are way too eager for
    
    source
    -> View More Comments
- EvolvedTurtle@lemmy.world ⁨11⁩ ⁨months⁩ ago
  I tried to set up Minecraft anti x-ray once And yeah it bogged down the server so hard
  
  source
SnotFlickerman@lemmy.blahaj.zone ⁨11⁩ ⁨months⁩ ago

Couldn’t the server just check what vision a player should have and not provide any other information to prevent wallhacks or maphacks?

Definitely not how that works. The server has no idea how to tell how the GPU on the client-side is rendering anything. The server is just doing server things, which definitely doesn’t include data on the “vision” of each player. There’s a lot less data being transferred than you assume here.

All of these are way easier to detect client-side, because client-side you can actually check the code that is running.

A server that checked all the code that is running would be a very, very slow game. Like imagine a chess game where it took five minutes for a move to register after making a move. Servers focus mostly on “player state” like, where are they, what direction are they looking, what direction are they moving, what buttons they are pressing, and a lot less on checking the code of the remote player. Once again, because checking literally every players code remotely would slow everything way the fuck down.

source
- JeffKerman1999@sopuli.xyz ⁨11⁩ ⁨months⁩ ago
  I remember a long time ago it was on the server side that the hits were registered not on the client side. It had a funny feeling because you would have to shoot where the target was going towards instead of shooting where the target was. And that was done with 24 players in a server
  
  source
  - boletus@sh.itjust.works ⁨11⁩ ⁨months⁩ ago
    This is still the case for most games. Games have just gotten better lag compensation methods.
    
    source
    -> View More Comments
TootSweet@lemmy.world ⁨11⁩ ⁨months⁩ ago
A lot of people in this thread are probably going to explain to you all the reasons why it’s necessary to do anti-cheat on the client.

And they’ll be correct that it’s not really reasonable to expect a system where data is sent to the client only when it’s needed to render (in order to prevent things like x-ray vision and such) to be performant. (At least not in the most common and general case today, but more on that later in the comment here.)

All that said, I very much believe that a lot of folks don’t suffifiently consider alternatives to client-side anti-cheating rootkits.

And this is all going to be a hot take, so strap in.

First off, an option that I’ve heard of is to require the client to send not just data like “my avatar moved to location X,Y,Z and has this velocity in this direction and etc etc etc” but also exact, specific keyboard and mouse inputs with timestamps. Then the server can a) validate that the given inputs at exactly the reported times produce the same location and velocity (this may involve running a copy of some portion of the client code on the server) and b) do better heuristic analysis on the inputs to detect things like aimbots more accurately. That would take more CPU on the server side, but it would go a long way toward making client-side anti-cheat rootkits less necessary.

But aside from that if a tabletop boardgame brought out the worst folks who played it and made it easy to cheat to the point that the game had a bad reputation, that would reflect poorly on the game designers’ ability to create fun games with mechanics that ensure everyone has fun, right?

So I have to wonder when a video game has either rampant problems with cheating or a draconian rootkit to lock down the client’s whole computer, how is it that people don’t ever consider that the video game designers should have put more thought into how to change the mechanics, incentives, or other design aspects of the game to avoid those issues.

A quick anecdote. There’s an open source Minecraft clone called “Minetest”. A handful of years ago, the developers announced they were adding client-side scripting to it. A lot of the players lost their absolute shit. “How can you encourage cheating like this?” And the developers were like “a) there are already scriptable clients in the wild modified by third parties so us not adding this feature won’t solve anything and b) things like x-ray vision are better solved on the server by, for instance, not telling the client which nodes are ore nodes until one face of the node is exposed - there’s already server-side scripting that can be used to do that.” Unfortunately the very vocal anti-client-scripting crowd won that argument just by being really loud and pitching hissy fits and the client-side scripting the developers added ended up pretty useless. (And keep in mind this even keeps single-player games from accessing the features offered by the client-side scripting effort.) And again, scriptable clients already existed in the wild.

Now, it’s really hard to come up with game design principles that would deincentivise all cheating in all genres of games. But just a few ideas:

What if there was an FPS that just gave every player x-ray vision to level the playing field for everyone?

What if you made scripting the client to make grinding or aim bots a feature rather than trying to prevent that, but required that all bots play only on bot-allowed servers? Even if that couldn’t be perfectly enforced, I’d guess it would reduce the incentive to try to play unfairly with client scripting. (Plus if there’s a built-in client scripting system that reports what it’s doing, or for some architectural reason has to report what it’s doing to the server, it’s probably going to deincentivise hacked clients.)

Not all game designs can get away with not sending data to the client until the client needs to render it to avoid x-ray hacks, but you could certainly design a (fun) game that did allow for some version of something close to that. A team v. team FPS game where the entire map is divided in half with a big opaque wall that disappears two minutes into the match whereafter basically has line of sight to everyone else for the rest of the match. You could not send player location data for the other team’s players until the wall disappeared.

Make the games player vs NPCs rather than players vs players and predefine the NPCs’ paths.

I mentioned the Minetest “don’t tell the client which blocks are ore until a face is exposed” thing above.

Maybe player rating systems? To where if a player is obviously cheating, other players can give that player a 1-star review. Enough of those and they get put on the naughty players’ server.

(I’d list some more ideas here but it’s 2:00am and I really should sleep. Lol. Maybe I’ll see if I can come up with more tomorrow.)

Aside from that, I’ll say that, for all the talk about how server-side anti-cheat can’t really work well, I’d have to submit that… client-side anti-cheat doesn’t really work that well either. Folks regularly find ways around it. And there are companies out there that make anti-cheat software that have started to tip their hand about how much it doesn’t/can’t work by partially giving up on making bulletproof client-side anti-cheat that works (because that’s not that feasible), but by bringing lawsuits against people who break their client-side anti-cheat. (It’s the same trick they pulled with DRM, at least in the U.S… It’s not really possible to make DRM secure against the user who has physical access to the machine on which the DRM scheme is being executed, so instead of making DRM that works, they made laws to criminalize the breaking of DRM.)

All in all, I wouldn’t personally play any game that required a rootkit. Don’t care how fun it is. That’s just straight up a deal breaker for me. It’s my computer, dammit!
source
- Kolanaki@yiffit.net ⁨11⁩ ⁨months⁩ ago
  
  What if there was an FPS that just gave every player x-ray vision to level the playing field for everyone?
  
  This actually exists. Blacklight Retribution. It kinda sucks.
  
  source
  - ZILtoid1991@kbin.social ⁨11⁩ ⁨months⁩ ago
    It used to be cool, but then they added pay to win elements, because of course.
    
    source
    -> View More Comments
- FuglyDuck@lemmy.world ⁨11⁩ ⁨months⁩ ago
  
  Maybe player rating systems? To where if a player is obviously cheating, other players can give that player a 1-star review. Enough of those and they get put on the naughty players’ server.
  
  Because that’s not incredibly easy to exploit. And even if it’s not intentionally malicious reporting… there’s idiots who seem to think them lossing means the other cheated.
  
  I’m reminded of my time in WoW- vanilla wow when T-0.5 was still the best gear yiu could reasonably get. Any how this fully geared T0.5, l60 warrior tried to gank my greens-and-blues geared l58 mage.
  
  He waited until I was drinking, for that free crit. I was OOM, cuz I was ape grinding mobs.
  
  I killed him using r1 frost bolt, frost nova and my wand. (Warriors at the time had zero ability to reliably gap close against any kind of mage.). Eventually he tried to run. He got but hurt from all the frost bolts I rammed up his ass.
  
  Decided there’s no way a level 58 should be able to kill a 60. Now. Here’s the thing I’m very much “red is dead” in games with pvp. So of course i camped his ass. One, it was basically free HKs, two, he tried to gank a lower level, three he tried to gank an OOm mage. And four? Did I mention the free HKs?
  
  source
- r00ty@kbin.life ⁨11⁩ ⁨months⁩ ago
  Back in the day (CS1.5/CS1.6) there was a server addon called HLGuard. Where it did some basic checks to see if you should know about another player and not send info unless you need it.
  
  But, it wasn't perfect, and you'd still get an advantage from wallhack and of course it cannot stop aimbot. You could perhaps "detect" likely aimbot though. But it did limit the power of wallhack.
  
  I actually tested it (of course on my own server with a friend who knew I was doing it). What it seemed to do was make sure you only really saw a player when they were very close to a wall where they'd become visible. But of course, close up things like needed to hear audio cues meant you'd often see them through walls anyway.
  
  Also I never measured it, but it must have taken a fair bit of CPU to make all these determinations for every player on every tick.
  
  For modern MMOs etc, they are usually VERY client authoritative because they're handling thousands of players at once and really want to spend as little CPU time on each as possible. So, they will likely want anything they have to be client side.
  
  source
Nemo@midwest.social ⁨11⁩ ⁨months⁩ ago
Because the client side is the side where cheating happens.

source
- zephr_c@lemm.ee ⁨11⁩ ⁨months⁩ ago
  Sure, but client side is also owned and run by the cheater. Do you really trust them to always run the anti-cheat honestly?
  
  source
  - Chozo@kbin.social ⁨11⁩ ⁨months⁩ ago
    Anti-cheats are typically designed so that the user can't actually modify them at all. They install themselves deep into your system, sometimes literally in the form of a rootkit which basically runs parts of it completely invisibly from your OS, entirely.
    
    source
    -> View More Comments
  - Endorkend@kbin.social ⁨11⁩ ⁨months⁩ ago
    You can't check the source of cheating on the server side, as it is run on the client side.
    
    source
    -> View More Comments
Vlyn@lemmy.zip ⁨11⁩ ⁨months⁩ ago
They usually use both. Client side and server side detection together.

The problem isn’t the check itself usually, but rather latency. If you shoot a player on your screen you want immediate feedback (client side), instead of waiting for a roundtrip to the server until the blood spatters.

There have been shooters where the server decides if a bullet lands. So on your screen you hit the player and then they suddenly survived. So most shooters switched to: If the client thinks it hit, it hit. Which does lead on the receiving end to running behind a wall and still dying. Overall it feels better than the alternative though.

The whole topic is pretty much game networking, it’s a balance between doing it correctly (server side, slow) and faking to get it close enough (client side, immediate, easier to cheat, unfair if the player is laggy).

Of course there are some server checks that are always easy: For example if a player teleports or moves around the map faster than possible? You can flag them for review or if it happens too often kick/ban them. As long as you’re super careful about automatic bans (bugs exist).

source
- RightHandOfIkaros@lemmy.world ⁨11⁩ ⁨months⁩ ago
  
  Overall it feels better than the alternative though.
  
  Client Side Prediction in combination with Server Authoritative Calculation should always be the correct option.
  
  Basically, both the server and the client do the same calculation to see if a bullet hits. Then the server sees the client data and checks if it matches what the server calculated. If it does, then it ignores the client data and continues, otherwise it sends the correct data to overwrite the client. While the client waits for the server to check the data and send it back, it calculates the next frame based on previous server data such as previous enemy velocity, look angle, etc. The client is always slightly ahead of the server, but as long as the ping is low this isn’t a problem (depends on network data bandwidth, but usually anything below 150ms ping is not really noticeable, as the ping from your eyes to your brain processing it, then reacting to what you saw is between 150ms-300ms.)
  
  This feels bad for players with bad ping, but it doesn’t have a negative effect on anyone else except cheaters that can no longer shoot you through walls or make impossible movements. And both of these are usually the fault of the client, as choosing a server with lower ping or simply not cheating will fix the problem immediately.
  
  Client Authoritative Calculation, where the client tells the server the data to send other players, should never be used in a game where cheating would be a severe negative impact on the game, such as a PvP shooter.
  
  source
cyberpunk007@lemmy.ca ⁨11⁩ ⁨months⁩ ago
Server receives “1” for “hit registered” as sent by “client”. As a client I can shove 1s all day long, how will it safeguard that?

source
- krimson@feddit.nl ⁨11⁩ ⁨months⁩ ago
  Server determines hit received. Client only sends shot fired and direction and such. Server could also calculate if shot and direction make sense based on location, last shot fired, etc.
  
  I’m a dev but not a game dev so I have no idea if this is doable or too much for the server to handle. There probably is a reason anti cheat on the client is still needed.
  
  source
  - Longpork_afficianado@lemmy.nz ⁨11⁩ ⁨months⁩ ago
    Depends what you mean by wall hacking I guess. Shooting through a wall should not be possible by your proposed method, and it could be expanded to prevent the player moving through walls also.
    
    Seeing through walls though is a different matter. How does the server know if I have rendered an opaque wall or not?
    
    Personally I see anticheat as a problem to be solved socially, not technically. Just let people vote to kick, and anyone who is generally accepted to be hacking will be kicked. No need for invasive Spyware.
    
    source
    -> View More Comments
  - cyberpunk007@lemmy.ca ⁨11⁩ ⁨months⁩ ago
    As far as I’m aware every action the client produces is reported to the server. If I push “w” the client tells the server “move forward X amount”. So as far as I’m aware, make most sense to have anticheat on the client side.
    
    source
xep@kbin.social ⁨11⁩ ⁨months⁩ ago
I just want to say that the term 'rootkit' has been twisted out of shape when referring to anti-cheat. Rootkits are malicious. Software using low level privileges that require the user's consent to a EULA, and which is designed to be uninstallable by the user I would not consider a rootkit, just invasive.

source
- ichbinjasokreativ@lemmy.world ⁨11⁩ ⁨months⁩ ago
  Root kit by definition means software that grants root privileges to whoever controls it. Anti-cheat, especially kernel level anti-cheat, does just that. Parts of the anti-cheat used for genshin impact has been used on entirely different computers to disable antivirus programs.
  
  source
  - IHeartBadCode@kbin.social ⁨11⁩ ⁨months⁩ ago
    
    Root kit by definition means software that grants root privileges to whoever controls it
    
    That doesn't sound correct. That would mean sudo is a root kit, and I would be hard pressed to find people who agree with that statement.
    
    source
    -> View More Comments
  - xep@kbin.social ⁨11⁩ ⁨months⁩ ago
    I don't call sudo a rootkit, do you?
    
    source
    -> View More Comments
- r00ty@kbin.life ⁨11⁩ ⁨months⁩ ago
  Yes, I mean I understand why people use the term rootkit. But, at the same time it isn't good to dilute a term for something malicious.
  
  At the same time, while I hate cheating in online games I barely trust game developers that are often on a crunch timeline, access to user mode on my system. I really don't want to give them access to kernel mode just to detect cheats. Also, it just means the next level of cheats just has to do the same, or get themselves in the hypervisor instead or hardware based anyway.
  
  I don't play games that have kernel mode anti cheat (unless they've somehow installed kernel mode drivers without me knowing, every game installer wants admin to install these days it seems) for this reason.
  
  source
kewwwi@lemmy.world ⁨11⁩ ⁨months⁩ ago
there’s both

source