Back

Screw client side anti-cheat, fix your goddamn server code.

I’m reminded of a case in Apex Legends where cheaters started dual wielding pistols, despite dual wielding not actually being a game mechanic. That should be something you can easily detect on your server and block.

Client side anticheat is just smoke and mirrors and lets developers think they can get away with not doing their job of writing secure code.

I’m honestly surprised that with all this concern about privacy against Google, Microsoft, Epic, and so on, gamers are willing to just let these games have unrestricted and unchecked access to all your internet, microphone and camera data.

Likewise, despite how much gamers call games “broken glitchy messes”, they are perfectly willing to give them enough hardware access to literally destroy your computer.

Hear, hear.

Quick disclaimer, I’ve been involved with FOSS shooters for something like 20 years now. I mention that to establish where I come from: in a FOSS game anybody can modify the game client all they want, so all the bullshit is out of the way from the start. You can’t hide behind make-believe notions such as “they can’t modify the client” – which is one of the major lies and fallacies of commercial close-source games. If there’s something you don’t want the client to know or do, you make it so on the server.

There is a lot of things that the server can do that can severely limit cheater shenanigans. If you don’t want them to see through walls then don’t tell them what’s behind walls. If you don’t want them to know what’s behind them then don’t tell them what’s outside their cone of view. If you don’t want them to teleport look where they were a moment ago and where they claim to be now and figure out if it should be possible. You get the idea.

Aimbots can be detected because at the core it’s a simple issue of the client’s aim snapping from one place to the target too fast. What’s “too fast” and the pattern of the movement can be up for debate but it can definitely be detected and analysed and reviewed in many ways – regular code, AI, and human replay.

If this kind of analysis is too much for your server to perform in real time (it was too much, 20 years ago) then you can store it and analyse it offline or replay it for human reviewers. You can fast-parse game data for telltale signs, analyse specific episodes in detail, and decide to ban players. Yes it happens after the game was ruined but at least it happens.

There are a couple of types of cheating that you can’t detect server side:

• Modifications to the client HUD that help the player grok information faster and better. This is a large category that can include things like colorblindness overlays, font changes, UI changes, movement tracking on display etc. As far as I’m concerned that falls under HUD modding and should be welcome in any healthy game. Again, if you don’t want clients to have a piece of information don’t give it to them, and design your game in a way that such mods are mostly irrelevant.
• Automating input. Again a large category that includes macros that speed up complex chains of operations. Can be slowed down by imposing server-side delays but you can hurt legit fast players this way too. Same as above, if this is what makes or breaks your shooter then perhaps you should rethink it.

I’ve mentioned human review above which brings up an interesting feature that I don’t see implemented in enough games: saving and replaying game metadata. It’s stupidly simple to store everything that happened during a match on the server side and it doesn’t take much space. You can offer that recording to seasoned players to replay on their PC which allows them to see the match from any player’s point of view. An experienced veteran can notice all kinds of shenanigans this way – and it’s also an excellent e-sport and machinima feature that enables commentary, editing, tutorials and so on.