Questions about multiplayer security and server speed

W

WimpyLlama

Guest
I'm making a PVP/Tower Defense multiplayer game in GMS2 and I'm wondering how secure it is. What I mean by that is, if I store something like, for example, how much damage a weapon does on the client-side, is it possible/how easy is it for a hacker to hack the client and change that value to have an advantage in PVP. If it is possible, I'll have to handle things like that on the server-side of things, which isn't a huge problem. I would just like to know while in this early stage of development.

And while I'm at it I'll ask this now: what is the best language to use for a server? Currently, I'm programming the game's server in Python because 1: I know Python well and 2: I thought it'd be fun to try. I've heard using GameMaker for a server isn't the best, so I plan on not doing that. But are there faster languages? I've heard Java is good for servers, but that's all I know. And probably the biggest question: does it even matter. Is it going to be such a huge difference that I should change to a faster language for the server? (Note: the game is a 4v4 type game, so a maximum of 8 clients connected at once.)
 

FrostyCat

Redemption Seeker
Rule #1: NEVER trust the client. The client can intentionally change an internal value via a hex editor, or unintentionally by being momentarily out of sync, or both.
Rule #2: Infrastructure and architecture affect scalability much more than the choice of language. Choosing Java over Python or vice versa won't magically make a non-distributed architecture scale, nor will it magically let a home server handle 10000 connections at once.
 
W

WimpyLlama

Guest
One more question: if I shouldn't trust the client, what do I do for things like movement? Do I just send the player's inputs to the server and have it calculate movement and collision then send back the x and y position to the client? And even if I did, how? The server can't exactly use things like place_meeting to test for collision and such.
 

FrostyCat

Redemption Seeker
In a centralized architecture, clients only send input, and the server filters the input and sends back updates.

If you don't have place_meeting() on the server, you use basic collision detection formulas to build an equivalent of it. The one built into the GM engine didn't come out of thin air.
 
W

WimpyLlama

Guest
Okay, thank you. This is becoming a more daunting task than I thought, but that's okay. It's time I had more of a challenge anyway!
 
E

enriqe

Guest
Hi @WimpyLlama .
I'm in the same situation like you - I plan to make multiplayer game but now I'm asking the same questions too. Security, cheating, hacking.... I know the best technique is to do everything server-side but... this has some very important drawbacks.
Mostly the latency of any input action and the CPU power of the server...
Have you found some feasible way to go?
 

Padouk

Member
I know the best technique is to do everything server-side but...
I'm a big fan of Listen Servers".


From the cheapest (more prone to cheating) to the most expensive (less prone to cheating):


Most cheat occur by simply modifying the saved game. This is the easiest way to hack a game really... And an easy way to prevent it is by not storing anything accessible by the client.
A) Keep the Persistancy (saved data) in a managed environment (heroes saved in a database, level up registered through that managed end point, reward and inventory generated from web services)
Have a look at Steam Inventory Service for a good example: https://partner.steamgames.com/doc/features/inventory

This is usually enough for most Collaborative RPGs.

This one requires a Database. You can still run the realtime on the clients.
-----

B) Add some Collaborative Moderation: Player will report cheaters. You can inspect their analytics to find lookalikes and ban them.
B') Rule based Moderation: Each participating automatically report suspicious moves to a "Referee" (a webservice judging weird move) You can inspect those report and ban accordingly.
This is usually enough for Brawler and Open Arena.


This one requires a Database, some analytics and "someone/something" to monitor the suspicious moves. You can still run the realtime on the clients.
------

C) Dedicated Server.
Process the input and update the game in a dedicated server. This is cost intensive.
This is usually recommended for Tournements / Business / Auction based

This one requires hardware, someone to monitor general infrastructure health and someone to monitor the suspicious moves (players get creative...). The realtime is now handled on a dedicated server.
 
Top