What kinds of things should I leave up to the server to calculate? Obviously I can't just let someone with a packet editor go, "hey, I shot that guy 50 miles over there, he's dead". Doing some kind of confirmation with other clients could lead to "huh? no you didn't, you are the one that died!". And so on until oblivion. The most secure way would obviously be "I shot in that direction from this position with this weapon" and let the server take care of everything. However, all of that collision detection adds up and leads to a huge slowdown on the server...not exactly what I want . Other things are moving around. Even checking with the terrain can't be completely secure, since if someone cracks the map format it would be easy enough for them to walk where ever they wanted. My game is tile based so that makes it a little easier on the server, but it still hurts. So I guess my question is how do most games do it? I'm pretty sure the giant $10000000 budgest MMOGs do everything on the server but I don't have that kind of money. Is there some middle ground I can take and leave the blatant cheating up to moderators to ban people? [edit] Another question I had was if I should bother with packet encryption. Any encryption can be broken with enough effort, so would it be better to not do it (or at least not a strong encryption) and focus more on a robust server? [edited by - Raloth on July 31, 2003 4:03:09 PM]

most of the mmorpgs dont do comphrensive collision checks on their side, they do approximate checks. You should be able to implmenet something similar, a low cost approximate check which would prevent clients from doing impossible things like going through mountains, teleporting throughout the world etc..

encryption will slow down hackers, but for the cost in terms of server cpu, it might not be worth it.

on the question of what the server should manage :

-items/player state change ( creation, transfer, destruction )
-critical events ( player attacks, player movement, etc)

bascially anything which u think a compromised client could take advantage of enough to ruin the game.

-ddn

Don''t do a complex encryption system, it''s not worth it and your protocol should be safe even if hackers could read it directly with a packet sniffer.

However it''s a good idea to implement a basic encryption sheme like a xoring with different keys for each players (you may improve it a little too). It should stop most of the script kiddies in attempting to write another client/bot and trying to abuse possible flaws in your protocol.

Don''t rely only on encryption though.

Collision detection on a tile based game shouldn''t take any real amount of CPU time. I''d work on optimizing it if it''s slowing you down.

I had 12,000 NPCs wandering around with collision detection entirely on the server and the slowdown was purely bandwidth.

What you have the server do is entirely dependent on your exact game. If it really matters then the server needs to do it. If it doesn''t really matter, then let the client do it.

Ben


[ IcarusIndie.com | recycledrussianbrides.com ]


KalvinB - (to Jessika) do you accept Jesus as your lord and savior

Jessika - Sure I can accept all forms of payment.

quote:

---

Original post by Raloth
What kinds of things should I leave up to the server to calculate? Obviously I can''t just let someone with a packet editor go, "hey, I shot that guy 50 miles over there, he''s dead". Doing some kind of confirmation with other clients could lead to "huh? no you didn''t, you are the one that died!". And so on until oblivion. The most secure way would obviously be "I shot in that direction from this position with this weapon" and let the server take care of everything. However, all of that collision detection adds up and leads to a huge slowdown on the server...not exactly what I want .

Other things are moving around. Even checking with the terrain can''t be completely secure, since if someone cracks the map format it would be easy enough for them to walk where ever they wanted. My game is tile based so that makes it a little easier on the server, but it still hurts.

So I guess my question is how do most games do it? I''m pretty sure the giant $10000000 budgest MMOGs do everything on the server but I don''t have that kind of money. Is there some middle ground I can take and leave the blatant cheating up to moderators to ban people?

[edit] Another question I had was if I should bother with packet encryption. Any encryption can be broken with enough effort, so would it be better to not do it (or at least not a strong encryption) and focus more on a robust server?

[edited by - Raloth on July 31, 2003 4:03:09 PM]

---

reference...

Many logical attack is following...

1. memory overrun/overflow

char buffer[400];
memcpy(buffer, pointer, size); //size has abnormal expression

for(int index=0; index < size; index++){

buffer[index];

}

2. unlimits of constraints requesting

char buffer[400];

.... maybe receiving over socket.

int size = *((int*)socketbuffer);
memcpy(buffer, socketbuffer, size);

...or using size information...

3. bad parameter

many bad parameter has unusable string.


avoiding thats...

1. add bounds checking code

2. using fixed size buffer and using that''s size.

3. compare network packet header''s size information and size from returned such as recv(...) or ioctl(...)

4. add check bytes information to packet tails

note Security Fundamentals.