What can be done to prevent multiplayer hacking?

Question

I have been working on a UDP networking project out of curiosity, and I have come to a problem that I can not get my head around. I have researched and understand the basic principles like:

1. Use authoritative servers, and give the client as little authority as possible.
2. Ensure that each client is identified by the server uniquely with its own encrypted key.
3. Deter DDOS attack by inflating response packets.
4. etc..

Most of my knowledge of UDP comes from these wonderful articles: https://gafferongames.com/ ; and I am lucky enough to be using this library, which is based off of the authors own UDP protocol and takes care of most of the authoritative protection.

Now, here is my question:

Using a completely authoritative server, it still seems the player would be able to cheat.

• For example:

  For a fighting game, there are two functions on the clients side. void hit() and void hurt, these are the basic functions that allow the client to stimulate the fight.

  In Scenario 1: The localPlayer hits the other player, and sends this to the server. The server then sends a packet to the client of the player that was hit which would trigger the hurt() function. But if the player had edited the files and deleted the hurt function, nothing would happen. The player that had deleted the hurt() function would be invincible.

  In Scenario 2: The localPlayer is hit by the other player and calls the hurt(), and sends this to the server. The server then sends a packet to the client of the player that hit the localPlayer which would trigger the hit() function. But if the localPlayer had edited the files and deleted the hurt() function, nothing would happen. The player that had deleted the hurt() function would again be invincible.

I could only think of two solutions:

1. If the game ever encountered an error (because a function was deleted and did not exist) disconnect the client from the server.(not that great)

2. This one I just thought of while writing this, and it might be my solution: Store a health variable for each player on the server, and if it reaches 0, ignore any packets that would be impossible if the game was not edited.

That second solution sounds good to me right now, but I am curious as to what you guys do / would do since I am a straight beginner. Glad to hear any advice, thanks!

Answer 1

The player that had deleted the hurt() function would be invincible.

Not if a "master copy" of the game state is computed by the server. In that case, the player who modifies code will only have their client show an invalid game state, which doesn't help them play.

In general, everything except player input must be done by the server, the client only says what the player chooses to do and every resulting action/change is performed by the server. That way, the player cannot change anything except what they want to do, which is already under their jurisdiction.

Note that players can still cheat with the aid of tools, such as auto-clickers or aimbots. These forms of cheating are much harder to deal with, since it's hard to tell if someone is receiving inhuman assistance or if they're just a good player.

Answer 2

The client should not be deciding wether or not they hit another player, the server should do that.

The client can say, "i shot a bullet in this direction", and then its up to the server to decide, given the game state, wether or not that was a hit. Sure, you should probably have some kind of prediction on the client side tho, depending on the type of game :)