1

Topic: [SUGGESTION] Dont trust the client, run all game code on server

I have a suggestion to prevent bots and cheats:

Why not render *everything* om the server, one rendering for each client, and not trust the client at all?
Then send it as a SVG/JPEG/PNG/GIF image to the client as a image/movie stream.

The client only sends its actions to the server, like "+attack" and such.

The client then only has 2 missions:
1: Receive the image stream from server, stretch it and show the image stream to the user.
2: Have a record for keybindings vs actions, so keymapping still can be configured.

If you know what VNC, RDP and Rdesktop is, then you know what im talk about.

A good idea would maybe that the game can use the VNC protocol (RFB, port 5900). When a client connects, he gets a dialog where he sets player name and all keybindings. This would mean that no game client is necessary, any VNC client will do as the game client.

The server browser could simply be a webpage then, where adresses to servers is shown. Then any player can launch any VNC client and connect to a server.
Then theres nothing to modify or cheat with.

It would effectively making cheats impossible.
To get decent performance and no lag, you would need to keep the image transferred very small, and instead stretch it on client side.

2

Re: [SUGGESTION] Dont trust the client, run all game code on server

Hello bandwidth!

3

Re: [SUGGESTION] Dont trust the client, run all game code on server

keep the image transferred very small, and instead stretch it on client side.

Lol and then the tee is only one pixel ^^
not the best idea i have seen and i don't think that anybody will do that...

4 (edited by heinrich5991 2010-11-03 23:14:20)

Re: [SUGGESTION] Dont trust the client, run all game code on server

1) no custom clients -.-
2) wont prevent botting, since there are pixel-scanner aimbots

3) played without prediction yet? try it: "cl_predict 0", only playable at really low pings...

5

Re: [SUGGESTION] Dont trust the client, run all game code on server

is it possible to have the server to check the player's client for exact md5 sum of the original? would prevent custom clients.

6 (edited by sebastian 2010-11-04 00:28:02)

Re: [SUGGESTION] Dont trust the client, run all game code on server

1: Instead you do a custom server. The good with this is that no custom "improvements" can be done on the game that would give a player unfair advantage.
2: Pixel scanner aimbots are much "worse", in other words, don't aim so good. Since the colors of the characters cannot be changed to "help" the aimbot, its harder to code a aimbot.
Compare a non-CAPTCHA protected form against a CAPTCHA protected form. There exist captcha crackers, but they don't have as high sucess ratio.
So practically its impossible to cheat.
3:
Tried now, comparing cl_predict 0 and cl_predict 1
Had a ping in about 50 - 75.
I did not notice any difference in using cl_predict 0 and cl_predict 1.

Alias: Its not possible, since your custom client could send a fake md5 value to the server.
Think on how its done. Its often done by having a function perform a md5 check of the compiled binary itself and send the md5 value to the server. If you write a "cheaty" client, you can simply have that function always return the "correct" vanlilla-md5 value instead. Even if you have the server deliver the game code to the client at play time, the client can choose to execute "cheaty" code instead.

Client can never be trusted.

Same with signed clients and such. As long as you run *ANY* game code on the client, its possible to cheat.
In my opinion, *ALL* game code should run on the server. Only code that should run on client is the code which renders the image and reads user input.

7

Re: [SUGGESTION] Dont trust the client, run all game code on server

1)many client do not give advantages: see teecomp, gamer, ...

2)i have several aimbots... (for informational purposes.)

i tested them. the pixel-scanner worked very well on team game.

3)so you cant play teeworlds at higher ping than 150, and only with a very fast connection
i dont have either...

4you cant check the client. YOU CANT. accept that.

5)no gamecode is running on client-side. you can cheat like in wow with teleports, speed hack, and so on

8

Re: [SUGGESTION] Dont trust the client, run all game code on server

1. All game code is run on the server, the client only renders and sends the input to the server.

2. This thread, together with your thread in the support section, only leads me to one conclusion: You should not be allowed to use a computer.

Sorry for troll #4.

aka cheesy

9

Re: [SUGGESTION] Dont trust the client, run all game code on server

As grummi said the important things are rendered on the server so the solution of sebastian isn't needed. It wouldn't make much better because botting isn't impossible then.

alias wrote:

is it possible to have the server to check the player's client for exact md5 sum of the original? would prevent custom clients.

Theoretically it's not possible because the client must send the information back what md5 checksum his files have. So it's possible to manipulate the checksum. But I don't know if there is a theoretical absolutely secure solution to prevent such manipulations. I have never find a solution until today so I think it's not possible.

10

Re: [SUGGESTION] Dont trust the client, run all game code on server

Again a topic about stopping botting ?
It is much better to make a bot detection server-side than to move all the client stuff to the server.
And, as heinrich5991 said, that wouldn't fix anything.

11

Re: [SUGGESTION] Dont trust the client, run all game code on server

Sworddragon wrote:

As grummi said the important things are rendered on the server so the solution of sebastian isn't needed. It wouldn't make much better because botting isn't impossible then.

alias wrote:

is it possible to have the server to check the player's client for exact md5 sum of the original? would prevent custom clients.

Theoretically it's not possible because the client must send the information back what md5 checksum his files have. So it's possible to manipulate the checksum. But I don't know if there is a theoretical absolutely secure solution to prevent such manipulations. I have never find a solution until today so I think it's not possible.

It could be possible. I didn't completely think it through, but if it is not a static md5, it should be possible. If the md5 sum is computed during runtime, the server could send a random challenge, that is added to the data computed for the md5. The client and the server compute the md5 individually and compare the solution. It's the same principle as in password salts, but it only works if the md5 is not precalculated.

aka cheesy

12

Re: [SUGGESTION] Dont trust the client, run all game code on server

why and how could teeworlds create such a perfect security if really big companies cant.

as said above: wow (many cheat tools), starcraft 2 (maphack), ...

(yes i like blizz games smile)

13

Re: [SUGGESTION] Dont trust the client, run all game code on server

henrich5991: Its because its seem that no game company is willing to sacrify the client computations.
I understand that, a 25fps 1600x1200 24bpp is nothing you gonna send over the internet.

But my idea is basically if we don't requre so much, lets say we ramp that down to 25fps 640x480 8bpp, or even 25fps 320x240 8bpp, you will get almost lag-free gameplay with high security.

Teeworlds is a perfect candidate for such a downgrade since teeworlds are using few colors, not as much colors as "normal" games do, and the graphics are not that complicated.

Maphack in starcraft2 would not be possible for example if you would run over VNC.

All cheats that is based on unhiding information that is hidden to the player is totally impossible with VNC. All cheats manipulating gameplay (eg speedhack, norecoil, weapon hacks and such) is impossible too with VNC.
Only hack would be a aimbot, and thats is more difficult if you use VNC.

I think that if the game would be run over VNC, players could even play for cash prizes without worrying of cheaters. There would be very few cheaters and every cheater would be forced to use a pixel scanner.

grummi: Still you could pick out the md5 calculations, and insert the correct values in the calculations and build a fake client.
MAXIMUM security can be achieved by rendering everything on server side, sending image to client, and then letting client send all imputs to server.
Even in a tourament, its possible to cheat in this way with a pixel scanner. A demo, which is the way touraments detect cheaters (by requiring all players to send in a demo of itself), would never detect a pixel scanner.

14

Re: [SUGGESTION] Dont trust the client, run all game code on server

Once and for all: Your idea is stupid, and if you insist on it being a good idea, YOU are also stupid.

In theory, it may seem like a good idea to have the server render the game also to prevent cheating. But that is only theory, and not even that can prevent all cheating.

1. Teeworlds would look shitty on 320x240. Try playing Teeworlds with 320x240 and low graphic settings. Nobody would want to play it.

2. You couldn't even play lag free per VNC over LAN, much less the Internet. You use VNC yourself, and you should know that you can't even use the desktop lag free over VNC.

3. The servers would need massive amounts of bandwith to be able to send up to 16 different streams at the same time.

4. You would need a very powerful server to compute the up to 16 different views for the players.

5. 25fps is not a realistic framerate for VNC or similar technology. You'll get maybe 10-15fps over LAN, let alone internet. -> Teeworlds would be unplayable.

6. The only real cheating problem with Teeworlds is aimbotting.

All cheats that is based on unhiding information that is hidden to the player is totally impossible with VNC. All cheats manipulating gameplay (eg speedhack, norecoil, weapon hacks and such) is impossible too with VNC.
Only hack would be a aimbot, and thats is more difficult if you use VNC.

None of these cheats are a problem with Teeworlds, except for the aimbot, and an aimbot is not stopped by VNC.

To sum it up: It would be very inpractical, and it won't achieve the single goal it has: prevent cheating.

That is what i would call a bad (or even stupid) idea.

So, please close the topic and move on. There is nothing left to discuss here.



sebastian wrote:

...
grummi: Still you could pick out the md5 calculations, and insert the correct values in the calculations and build a fake client.
MAXIMUM security can be achieved by rendering everything on server side, sending image to client, and then letting client send all imputs to server.
Even in a tourament, its possible to cheat in this way with a pixel scanner. A demo, which is the way touraments detect cheaters (by requiring all players to send in a demo of itself), would never detect a pixel scanner.

Yes, you are right about that. As I said, I didn't completely think it through. It's not a good way to prevent cheating.

aka cheesy

15 (edited by heinrich5991 2010-11-05 17:24:47)

Re: [SUGGESTION] Dont trust the client, run all game code on server

thank you grummi, very nice answer.

as grummi said: this idea is nearly impossible/inpracticable.


mod, plz close this senseless* topic.

*as grummi proved