For UT2004, you can ban by player GUID (a hash of the CD key) or IP. With the game abandoned by Epic, a number of key generators have cropped up, which makes GUID bans useless. IP bans only go so far with VPNs costing $2 these days.
The main solutions we have today are IP ban + VPN blocking using a database of known VPN subnets and adding them all to the firewall, and a similar fingerprinting technique which scans their folder structure of certain system folders.
It was made for Tremulous (ioquake3 fork) where people kept evading IP bans, but it can be used for any other games.
It is not my project, but I know the author, and I could personally fork it and make it suitable for specific (or any) games if there is demand for it.
You may also use heuristics, too, in schachtmeister2:
Even without this IP bans only go so far as they're both easily swapped (VPN offers, or rent a VPS to forward traffic, or even by design with an ISP handing out dynamic IPs on router reboot) AND overreaching:
- NAT: ban household / campus
- CGNAT: ban whole neighbourhood
- IPv6: ban whole /64 => whole household (because of SLAAC + random privacy addresses)
On a counter-strike 1.6 server I help with moderating, we have the occasional cheater roll by, surprisingly often "ragehacking" with no attempt at subtlety (e.g. making noscope sniper headshots in mid air).
Since the server owner insists on allowing non-steam accounts (pirated copies) to connect we can't rely on SteamID bans, similarly to GUID in Unreal. It's a bit trickier to change the spoofed ID as I assume it's buried deep in the game install somewhere obscure, but still possible. It's actually a very popular game in northern Africa, the former Baltic states and surrounding areas as well as north and west Asia: without these players the server would be a ghost town.
Anyway, our approach is twofold carrot and stick style: Steam players get near instant reloads and immunity to some of the more "enthusiastic" automodding/kick features: so for the price of a handful of VPN keys you can get a legitimate, allowed advantage over most of the server population as well as reserved username and "VIP" tag, plus you now own the game. Seems a great way to do it, as it's available to anyone instantly for that one time fee (which goes direct to the game dev), or for free by playing at least 1 game a week for 5 weeks, then contacting the mod team on social media.
The other side to that (the stick), is that rather than simply kick/ban the player we usually take some time to have fun annoying them, to show them they're really not welcome, and make them actively not want to come back.
Disarming them then giving F tier weapons, a few random teleports out of bounds or stuck in the floor, repeat amx_rocket to turn them into a firework, amx_drug to max out FOV and add "drunk" effect, and ofc a bit of teasing about what a lowskill looser you must be to have fun while AI plays the game for you.
There's also "illegal" amx plugins and commands, which are generally frowned upon and extremely abusable, but quite useful in these situations. My favorite (which most of the "illegal plugins" are based around) is amx_exec which essentially gives admins direct access to any client's in-game console, to run any command or set any setting!
It's actually kind of terrifying that exists. For example this set of commands sets network baudrate to 1000 (that'll be fun for the cheater until they notice), changes name, wipes all keybinds, then binds the default chat key to close the game, while setting max FPS low enough to be bothersome without being obvious! There are pre-built macros that do far worse to your settings too: although easily fixable by deleting to restore defaults, would be very frustrating if you hadn't backed up your config files.
On an intriguing side note:
Many servers charge for VIP advantages, to the tune of up to $20/month! At first I thought this pretty shocking, until I found out that there's some kinda shady clique where to be listed in a reasonable spot on 3rd party server browsers, a hefty fee is required, and a significant proportion of this income gets spent on "boosts".
When our server owner stopped paying for "boost" for two months, mean player count dropped from 14/32 to 3/32, and max players from a regular 28/32 on weekends, to 12/32 on a Friday night if lucky. The player count rocketed as soon as the owner started paying again... but the crazy thing is it's $180/month!
Before getting involved with moderating, I thought running a fun, deathmatch, well moderated, low ping, high performance server dedicated to remakes/remixes of the 2nd most popular map in the game would be enough to be popular/busy. But no, apparently you have to pay extortionate fees to incumbent gatekeepers, if you want your server to be visible to the majority of the playerbase!
> There's also "illegal" amx plugins and commands, which are generally frowned upon and extremely abusable, but quite useful in these situations. My favorite (which most of the "illegal plugins" are based around) is amx_exec which essentially gives admins direct access to any client's in-game console, to run any command or set any setting!
Yes, we have something similar for UT2004, but only a handful of people are even aware it exists. It's too powerful and too easily abused. I have yet to share it, even with other admins.
It can be. There have been in-game commands with code execution vulnerabilities that turn into RCE because the game server can make clients run commands.
Yes, it's why I don't share knowledge of it. There are less than 300 people actively playing this game (maybe fewer) so any impact of something like a RCE running wild is relatively small.
Changing steamid is easily doable on most nosteam cs 1.6 copies through a cfg file.
I used to administrate CS 1.6 until a few years ago. I got a question concerning amx_exec. I thought cl_filterstuffcmd basically killed any usage admin slowhacking?
or is it that most nosteam cs 1.6 client have it set to 0 ?
It seems to me that what is needed is a "provisional" server that grants you access to the "good" server.
So an GUID accumulates reputation after some amount of play in the provisional server. If you get enough reputation by not cheating, the GUID gets whitelisted for the "good" server. You can have multiple tiers, so the really good/fun people get to the third of fourth tier of demonstrated non-cheating.
If they cheat, get banned, they need to climb the tiers with GUIDs again. The cheaters will want to cheat, they won't want to pay the dues. The legit players will happily try to get to the second and third tiers, so you could probably just require 1 hour of not-cheating for the first tier of server, and then maybe 8 hours to get to the third tier.
You could shadowban/honeypot after the first tier, so you shut all cheaters that you detect to their own cheater server where the cheaters can all get shunted to.
This still leaves you wide open to cheaters using mobile data tethering and proxies. Have you considered more advanced network analysis? It's one of the areas I have an interest in (professionally and personally) so if you want any suggestions let me know.
> This still leaves you wide open to cheaters using mobile data tethering and proxies
Is latency going to be good enough on mobile data (especially if they're also using proxies) for a FPS, though? Sure, they're using cheating software, but I wouldn't be surprised if the software gets the information it needs to cheat too late often enough for it to be useful.
Yes the latency is not nearly as bad as you might think, it's comparable to a VPN in my experience, though the quality will depend on your location and the available connections.
Sophisticated cheats in games like CSGO (and other competitive shooters) are usually very subtle, such as displaying enemies on the mini-map when they shouldn't be visible which provides a major advantage without requiring superhuman input, and the added latency is often negligible—especially when the info can be relayed to teammates and now you essentially have the entire team cheating with only 1 player suffering from a bit of increased latency.
And I wouldn't say this is an edge case either as in my experience the majority of cheaters I encountered are individuals that play on an alt account and offer a service to guarantee wins in ranked games.
I regularly played CSGO in Europe because the North American ranking system were screwed up.
I got to Supreme (2nd highest rank) with 150 ms ping. The people I queued with hit Global.
It's possible to play legitimately with very high ping. The higher ping put us at a disadvantage, but the skill gap between regions made it worth it to arbitrage.
NA is (or at least was when I played) the most populated and visible regional zone, and attracts a lot of players attempting various kinds of rank manipulation. On the one hand you have smurfing, which is the practice of a relatively high skill player using a an account with relatively low rank so that they can dominate lower ranked players. On the other side you have boosting, which is a relatively high skill player ranking up new accounts for later sale.
In practice this means at lower ranks, it was not at all uncommon to be matched with players with similar rank but vastly better skills.
This was my experience too years ago when I played CSGO. The difficulty at higher ranks (up to a certain point) felt significantly easier than the lower ranks. Getting out of the silver and gold ranks (can't remember the exact names) was a hellish grind with lots of matches that ended in one sided stomps with one or two guys on the other team racking up some insane k/d. Past that was smooth sailing for a long long way.
Yep - same story here with Nuke (the old one, but then it happened again on the new one too). Got to global and it was a ghost town save for the same 5 man we ran into every night.
It's not ideal but I lived half a year with unreliable internet and frequently played over a tethered 4G mobile connection (in Europe). Latency was around 40-50ms, which was still lower than the people playing from Eastern Europe who would play in EU West matchmaking. I imagine with 5G it could be even lower.
VPN or mobile IPs (blacklisted) must pay for a key ($20/year) that allows posting from blacklisted IPs. Key is good for posting from one blacklisted IP, locked for 30 minutes, so users cannot share keys. That way, you can ban the user by their key, if their IP is public.
It's not a perfect solution but it seems to be the best they've found for such a situation so far.
I mean, in this case it's 4chan so who cares, but I hope we are not very slowly moving towards a troubling world with lower classes of IPs and upper class IPs. IPs should be IPs should be IPs, it shouldn't matter whether it comes from an ISP, a mobile network, a VPN, or anything else, and we shouldn't attach some kind of IP caste to providers or countries. I think we really need Internet-wide IP randomization, where you can't just block a /24 or a /16 because they're in some icky ghetto. Yes, I know there is abuse, but if this is the alternative, it doesn't seem worth the cost in terms of innocent people losing access.
EDIT: Well, I guess the tribe has spoken. Pretty surprising. I think y'all are just assuming you'll always be the ones with the "good" IPs...
We are already there and have been for a long time. Geoblocking is very common for low-effort DRM and abuse mitigation, common VPN providers are easy to detect by IP but generally frustrate and/or ignore abuse reporting (until serious illegal activity is committed), college and other institutional networks are often no better than VPNs in this regard, etc. The Internet hasn't been able to operate as a network of peers at least since it was opened up to the public.
Assuming they get the report after the fact and assuming their "no logging" promises are true, can they even do anything? They're not even supposed to know which customer did it, after all.
If their promises are false, wouldn't they reveal their hand if they handed logs over willy nilly?
On some Japanese BBSes, spammers tend to use non-Japanese IPs or data center IPs. A good chunk of the spam goes away by blocking non-Japan IPs (easy to do with BGP data) and disallowing data center IPs (these often host VPNs, scrapers, etc.) from posting.
Posting from overseas thus costs money or is not possible. The trade-off is 1-100 extra users or significantly reduced spam for little effort. It's not surprising that most website operators choose the latter.
I also know of a file uploader that recently had to block overseas IPs due to such IPs repeatedly uploading illegal content. This is an example of a few bad actors ruining things for everyone.
I understand how you feel but IP blacklisting is really the only tool we have.
I'd much rather deal with that than some kind of forced state level verification/ID system where even pseudonymous browsing becomes impossible.
Blocking IP ranges by country or ISP is pretty much always going to have to exist as long as certain countries and ISPs turn a blind eye to abuse.
Even with as poor a solution as IP blocks are, it's the best we have and alternatives seem worse.
About your edit: I think you are overlooking the Realpolitik behind running a public forum. Admins are fighting a constant war against spammers and trolls. It doesn't sound fun to me. Yes, you are right, we now live in the era of "upper class" IPs now. A bit sad, but is there a reasonable alternative?
Anyway, it's a tradeoff between dealing with bad actors effectively and not impacting common users. There's a lot more bad actors than common users running into those sorts of IP bans though.
Using a VPN with WireGuard can actually reduce latency if your ISP has poor routing to the game server, as a VPN with better peering or routing paths can improve your connection. It’s not always the case, but with a decent provider, you might see lower ping in certain situations.
Can help routing induced latency as the other comment says (or force a new route if having downstream issues with your ISP peering), and some games in the past could leak IPs especially if using a p2p model and a VPN can mitigate that (especially one that only routes traffic for the game).
IIRC you also need one when playing from some countries, whether due to legal reasons or server restrictions.
When I was in the dormitory (~6-8 years ago), I used VPN (OpenVPN on my private VPS) over UDP port 53 to omit the firewall which was configured to block big parts of ports.
Oh wow that takes me back. I remember complaining to the university that I couldn't download files via FTP. A few months later they answered me explaining file sharing protocols had no legitimate uses at a university. I was working in a research lab and needed to download standardized datasets to validate that the software worked as intended. At the time, only FTP was used.
There's a bunch of services that can moderately reduce latency by using better paths. Specially worth it if you want to play with friends in servers farther than 1000km away.
Yes, we have a whitelist ability also, but it is definitely a last resort. The game is mostly dead and difficult to discover for new players. We don't want that roadblock if we can avoid it.
I still play Quake 1 and 2 online, randomly pop into Tribes 2, Counter Strike 1.5....usually the community is clicky and toxic to outsiders but sometimes you bump into really neat people.
Is this game online/multiplayer only? I mean, people still play Galaga and PacMan and other older classic games so why would you think someone wouldn't still play this one too?
It is not online only as we would now understand. But it is certainly only multiplayer game. Well you can play against bots, but even then it is multiplayer.
Small number of players works in favor of a whitelist. People shouldn't be playing with randoms, they should be playing with friends.
Game companies invade our privacy and destroy our computer freedom with ineffective malware tier rootkit solutions only to fail to solve the problem in the end. Their business model depends on enabling people to play with any random from anywhere in the world. They are forced to trust untrustworthy clients. The truth is people should not allow their computers to talk to strangers.
I presume "whomever they wish" means anyone who is not a cheater. In that case they need a whitelist. Because without one, every player is a potential cheater. Non-whitelist solutions don't match what I presume they want. They asked for NotCheater, server returned MaybeCheater.
Without a whitelist, it's only a matter of time before an actual cheater joins their server and ruins their fun.
> The main solutions we have today are IP ban + VPN blocking using a database of known VPN subnets and adding them all to the firewall, and a similar fingerprinting technique which scans their folder structure of certain system folders.
No. VPN blocking is useless to stop malicious actors as most residential connections have DHCP and VPN subnets are added and removed somewhat frequently, it's not that hard to find a "undocumented" one. It also completely excluds anyone using a VPN for non-malicous purposes.
Scanning files and folders is just ridiculous, not only an incredible invasion of privacy, but also trivial to work around.
VPN blocking is a cheap mitigation that stops 95% of the problematic traffic without removing a meaningful number of legitimate users.
Yes it doesn't "solve" the problem, and yes it removes some legitimate users, but it's by no means useless. Given the tradeoffs involved I'm not at all surprised it's so common.
If you have a solution that's less invasive (e.g., some businesses can get away with not providing anything expensive till after a payment has cleared the normal fraud window, and many businesses don't have obscene levels of malicious traffic; in those cases you can just let bad traffic run rampant and ignore it till it's a problem) then that's probably better, but blocking VPNs or whole countries or whatever can be the difference between a successful business and bankruptcy.
the cheats are software, software has certain quirks, like the way it aims or the way it tracks. And I'm willing to bet it has enough distinctiveness from human aiming to be classified. Couldn't a classifier work on the behavior of the cheating software itself, rather than use IP bans?
It's more effort than it's worth. There are server aimbot scanners which do something like this. There are also aimbots written to thwart this type of detection, adding delays, random drift, etc. It's a cat and mouse game. We don't have a lot of players left so it's not that much of an issue.
This is part of what Valve does in CS. It works pretty well but it does have false positives so it requires user intervention for confirmation of bans.
In order to actually catch a cheater mid-match rather than long after the match is already over, you'd need the servers that players are interacting through to have enough CPU grunt-force to do that kind of analysis "faster than realtime" — i.e. for the server's CPU to be able to run the game's physics faster than any client can, so it can run the physics with extra math in the same time it takes the clients to just run the physics.
Which might be something you could guarantee, if the game were locked to wimpy console hardware; or if the game had minimal CPU physics such that it was effectively never running CPU-bottlenecked and there were massive gaps in frame-time where even the client CPUs are sitting idle, that a server running in lockstep could cram that kind of analysis into.
But gaming is a race-to-the-top, hardware-wise. The CPU in a gaming rig might not have as many cores as your average server CPU, but it's almost certainly going to have higher single-core perf.
And part of the reason for that, is that games really do try to use your whole CPU (and GPU), with AAA studios especially being factories for constant innovation in new ways to make even the minimum requirements just to run a game's physics, higher and higher every year.
And if the server can't do "faster than realtime" analysis of the streams of inputs of the players, then by queuing theory, it'll inevitably get infinitely backlogged — the server will keep receiving new analysis work to do every timestep, and will fall further and further behind, never catching up until new work stops being generated — i.e. until the match is over. And then it'll have to probably sit there for five more minutes thinking really hard before spitting out a "hey, wait just a minute..." about any given match.
Which is fine if there's a big central lobby server that the game is forced to connect to, and your goal is to ensure that some central statistic that that central server relies upon (e.g. match-rank ELO) gets calculated correctly, such that cheaters are prevented from climbing the leaderboards / winning their way into high-ranked play. (And that's exactly the situation the big eSports games companies are in.)
But in the context of older games that use arbitrary hosted servers and random-pairing (or manual lobby-based match selection) — or in modern, but "dead", games, that only persist due to being modded to accept private servers — this "after-the-fact" punishment is useless, as most servers have no incentive to do this analysis, especially when cheaters can just hop around between servers. So there's nothing preventing people from being matched with cheaters, sometimes over and over again, if the cheaters can just tell their clients to roll up with a new key+IP for every match.
...and that's assuming there even are servers. You can forget about any of this working in a p2p context. (Think about what a Sybil attack means in the context of a federated set of individual tiny disconnected p2p networks.)
You should be able to limit analysis for this type of detection to only the input leading up to a kill/hit and ignoring everything else. The majority of the time players are not shooting could be used to do the analysis with plenty of time to boot midway in a round let alone a full game.
Also simple analysis of only the input streams as you stated really doesn't have to do with the phys rate of the game server and should be alot cheaper computationally. It can be offloaded to another process even if it was found to be too impactful to run alongside the game server directly. Something all those extra cores might be good for.
And I'm not refuting that. I was just pointing out a solution to a problem the GP proposed as intractable when trying to analyze player input data streams for cheating. The points you made are valid as far as the evolution of this cat and mouse game is progressing (probably still closer to the end end of can then do for now).
That being said, the vast majority of cheats are not that sophisticated. "Simple" analysis of player input should still be used to make low effort cheats less or ineffective. Especially if used to compare consistency of mechanical play by a player. I doubt most cheaters want to just turn on a full bot that plays by itself for the whole game. You can build a model of play customized for an individual player to look for changes in mechanical skill during critical plays. Then even if that was incorporated into the cheat client so that its 'actions' can't be definitevly detected against the players baseline, it would at least be limited to cheating as that player always playing like it's their best day. Either that or the cheater would have to go fully hands off for that account which I imagine is not as appealing for most cheaters.
Input analysis, even much simpleler approaches, can still be a valuable tool to make cheating more difficult and less opportunistic. The goal would be to raise the barrier of entry to cheating without immediately getting banned beyond downloading and running a client. If people who consider cheating in a game have to: order, wait for, and setup additional hardware then aquire models trained for the latest version of the game that are also trained on pro play in a way that lets the cheating be humanly plausible to remain undetected; it will reduce the total number of people who cheat in that title. Will needing to aquire additional hardware stop all cheating? No, I had a friend as a kid that owned a GameShark that I used and ended up corrupting the save on one of my Pokemon games. But if all of that is what is required to be able to successfully and consistently cheat, it will raise both the cost of development of cheats as well as their price to cheaters.
For top level professional play, in person tournaments on managed setups will remain the gold standard for the forseeable future (and besides they are attractive as events for their own sake). And for the rest of us, we will continue to be trapped in the labyrinth with both the cat and the mice.
The CPU being overwhelmed with physics sounds sus to me. CS has a few mechanics more than Q1, but not that many. It's a few collisions and should be possible to check in a tiny fraction of today's CPUs capabilities. Even with some advanced movement physics, it's just a handful of entities - Marbles does hundreds more per frame. Am I completely missing something significant here?
IP bans are fundementally flawed since you can't assume a static IP in the vast majority of cases anymore, if you rely on an IP blocklist then it's inevitable that you will end up hurting the experience of small amount of unlucky but innocent players. I suppose this might be more of an issue on ipv4 than it could be on ipv6, but really you should always expire IP bans to avoid issues like these, or you want to combine another data point with the IP such as a hardware ID (or a hash of a combination of hardware IDs). Cheaters do know this so even if we could assign everyone a static ipv6 they would likely just disable ipv6 support on their NIC and rely on their ipv4 exit ip.
Edit: If you don't think this is an issue I urge you to Google "pokemon go belgium ip ban" for a fun rabbit hole.
Sort of. Doesn't make sense to ban a single v6, you'd start by banning at the /64 level and move on to banning shorter prefixes from there.
You quickly run into the same kinds of problems you do in v4 though; most users have access to a shared pool of addresses, and you may need to ban the whole pool to ban an abuser, but then you also ban everyone else in that pool, and the abuser is more likely to have ability and motivation to use other pools.
It's better if you have multiple factors... if you don't like the IP, don't ban it, but be stricter on other measures, etc. So a well behaved client from a 'bad ip' can still play, but enough suspicious things and you can't play anymore.
The main solutions we have today are IP ban + VPN blocking using a database of known VPN subnets and adding them all to the firewall, and a similar fingerprinting technique which scans their folder structure of certain system folders.