How would a server-side anti-cheat work? You wouldn't be able to detect ESP or other information leaks. Best you can do is see how good they are vs. everyone else but how do you know if someone is cheating or just really good? Most cheaters are not blatantly cheating so it is hard to know for sure. Even something like aimbotting is almost always adjustable in cheat software to have varying levels of accuracy.
SSAC is already widely deployed for many games. I'm not a professional backend gamedev (just an enthusiast), so I don't know all the approaches / tricks, but here's off the top of my head:
> [...] see how good they are vs. everyone else [...]
It's called Elo or MMR. You match players with a similar rating. An unfair advantage in one area (e.g. aimbot, map hack) turns into a significant disadvantage in all of the other areas (strategy, team play, mechanics, situational awareness, decision making). In SC2 you can regularly see mid-high masters or low GMs play against map hackers and just destroy them. Match making simply works as intended.
As a cheater - aside from being a different (not more difficult, but different) kind of a challenger, how do you gain material advantage from this? Streaming the game? If you attract a community that cherishes cheaters? Well.
This is of course on top of normal AC.
> [...] how do you know if someone is cheating or just really good?
In versus - it will surface, as noted above. You will plateau, just like any other player. If you're "really good", you will become an outlier and get attention.
In a game like Warframe (PvE, you can farm goods that you can sell for in-game currency), the main limiting factor is your time. A very good loadout will shorten an exterminate mission from 4 to 3 minutes, and you can build a decent loadout within ~2 months of starting to play the game. To further shorten it to 2min, you need good mechanics, or - as noted - to cheat. That's assuming you run solo - but since this is a co-op game, there's often someone on your team who will clear the mission for you in 2min anyway. Choosing to cheat is your own risk.
I'd consider AC a core part of game design.
> Most cheaters are not blatantly cheating so it is hard to know for sure. Even something like aimbotting is almost always adjustable in cheat software to have varying levels of accuracy.
It depends on how high you want to go - you don't know where the radar is, and it only needs to spot you once. The problem space isn't just aimbotting, it's highly multidimensional. An arms race like any other, except your "enemy" (the host) has significantly more information.
You must combine client-side with server-side AC either way. A CS exploit will circulate the same way a regular aimbot will.
> You must combine client-side with server-side AC either way.
I should have clarified - this is exactly what I meant. Client-side anti-cheat cannot be replaced by server-side anti-cheat. You need both.
I work on an FPS game that is heavily targeted by cheaters (Rust). We do both but we are probably limited with what we can do server-sided because it's a PvP sandbox game. There is no matchmaking and no defined winner or loser to simplify ranking players against each other. It's also high stakes because a cheater can ruin a legit player's hours of preparation in moments. Drawing a line in the data to detect cheaters will catch outliers but there's a world of "legit cheaters" out there who use cheats but limit it to not stand out and avoid being banned.
It's a sandbox game. You play on the same server over the course of a wipe (up to one month long) and then the server's map is cleared/changed. Hundreds of players gather resources, build bases, craft weapons, etc. to fight each other and defend themselves from others. Players often team up but you never know who you can really trust unless you're actually friends with them.
Other than aiming there's just game and map awareness, including understanding the current meta. Base design is a whole other area relevant to defending against raiding while you aren't online or away from your base.
We use EAC but also have our own layers of protection. We do some of our own anti-tampering in the client, a player reporting system with staff to investigate, server-side antihack to guard against all kinds of weird state modified clients send, and a lot of data collection+analysis. If you look up Rust or any other popular FPS game up you'll see it's still not enough.
The most effective anticheat tool really is game design. Games can be designed to limit or even eliminate the worst of cheating... but only by significantly changing the games. It'd be simple if everything was like the Civilization games because they're turn based and have well-defined actions. All input can be 100% verified without the need for tolerances and hidden state (fog of war) can be networked only when necessary.
OK so it's like Minecraft, but with a lot more combat. I can see the appeal.
> The most effective anticheat tool really is game design.
Yep, that's always been my idea, and why I brought up Elo.
IMO second most effective is to play with people you already trust. Or like on many public Factorio servers: strangers get limited permissions until proven trustworthy. But none of this works in a game with just a couple hundred players.
