Kudos to the author for using RFC5737[0] TEST-NET-2 address for:
> An example of an IPv4 IP address is 198.51.100.1.
Server side only anti-cheat is one of the problem domains that I'd really love to work on at some point in my career. This is the type of adversarial arms race that just seems really fun to think long and hard about.
If the website is down or slow and you want to read the article, here is a full page screenshot of the post: https://i.imgur.com/SPp6IHX.jpeg
Sorry :'( I didn't expect the post to get this much traffic.
This isn't about stopping cheaters (cheat detection). This is about stopping repeat cheaters trying to ban evade. Detecting cheats, especially nowadays with hardware cheats (DMA, etc), is an entirely different ballgame.
IMHO, one of the most effective way to stop ban evaders is to actually charge money for the game.
Players from big countries often miss out on the sense of community that exist in smaller ones. When there are only 3-4 servers worth of people playing a game every day you quickly come to know them all, which really adds to the banter and sense of enjoyment.
> If a player joins with a different Steam ID but with an IP address that is already banned, the system now re-bans them
This works great until you realize you're punishing innocent players because of CGNAT and IP addresses getting rotated. Cheaters usually know how to get their router to request a new IP address. That IP address then gets assigned to someone else later.
> I only shared the solution and technique with one other server operator I fully trusted based in the UK
I think that was us! We ended up combining it with other fingerprinting indicators, but the whole 'use VGUI' was a surprisingly effective way at handling this. I believe they removed the web browser in ~2018, which was disappointing. Being able to have custom skill trees / fun integrations with servers was really powerful!
> but the traffic itself was encrypted over HTTPS. This meant that even if one were to use a packet sniffing tool like Wireshark, you would not be able to find the raw token.
It's trivial to decrypt HTTPS with tools like Fiddler or Burp Suite, assuming this build in browser used system proxy and system certificates list.
> The best part was that no one knew how we were able to do this and our admin team kept the implementation a top secret. We should have filed a patent!
I know you’re joking, but if you had filed a patent you would have had to reveal the trick, thus rendering it immediately useless.
Doesn’t detract at all from your post. Fun read.
Excellent write up and solution. Cheating in video games makes for a wretched experience for those who don't cheat.
It's crazy how rampant cheating in multiplayer games, especially competitive ones has gotten. Ten years ago, I thought it was at an extreme, but it's only gone up since then.
Part of the problem is that for some software developers, writing cheats brings in a massive amount of money.
So instead of some teenager messing around making unsophisticated cheats, you have some devs that are far better at writing cheats than game developers are at preventing them.
It doesn't help that game devs have to secure everything, everywhere, but cheat devs only have to find a single flaw.
Banning new Steam IDs on banned IPs seems too strict to me. Some ISP use CG-NAT or rotate IPs, meaning a single bad actor could harm many innocent players.
respect the ingenuity of the solution and how well it did.
although it has to be said that we are better off without having vgui in the first place.
this kind of sneaky tracking is so widespread today on the Web that it is nearly impossible to be bothered with evading it. whether it is the "wideport" or what extensions you use, you might as well use tails to surf the internet at that rate.
but using a logical fallacy, to exploit for the better good does seem appealing.
I am surprised VGUI browser shares cookies across Steam accounts. When I log out of my Steam account, switch to another one, launch the same game, I would have expected an entirely different datastore to be used for the VGUI browser.
I want to share a story in a somewhat related topic:
anti web-scraping techniques
The most devious version I ever seen of this, I was baffled, astonished and completely helpless:
This website I was trying to scrap generated a new font (as in a .woff file) on every request, the font had the position of the letters randomly moved around (for example, the 'J' would be in place of the 'F' character in the .woff and so on) and the text produced by the website would be encoded to match that specific font.
So every time you loaded the website you got a completely different font with a completely different text, but for the user the text would look fine because the font mapped it to the original characters. If you tried to copy-and-paste the text from the website you would get some random garbled text.
The only way I could think of to scrap that would have been to OCR the .woff font files, but OCR could easily prevent mass-scraping due to sheer processing costs.
The idea of client-side "cookies" existed even before CS:GO. I remember in CS:S the server was able to change game variables set on the client. I wrote a script for a CS:S server that would fingerprint a cheater by setting an obscure game variable to a unique value and so being able to identify the player through that even if they had a different steam id and ip. It seemed to work well for a long time for getting rid of the most common cheaters but of course the most commited and capable ones with RE skills will always be ahead of the game.
This link is 404ing for me. Anyone else?
So adtech tracking techniques also work for fingerprinting ban evaders. Go figure.
What about some sort of shadowbanning ? Or "shadowsegregating" : I mean if you detect and group cheaters so that they play with other cheaters ? Leaving normal players alone ? (I am not a player, I don't know how these multiplayer games work, I'm just wondering)
Thinking about it, steam should force this on every game developer that has cheating problem (I am assuming mainly shooters), maybe implemented better fingerprinting way, giving developers options to hide cookies somewhere in folders of their choosing.
It feels like cheating as become endemic, every game I've played online in the last 2-3 years seems to be rampant with cheating. I don't remember it being this big of an issue 5-10 years ago, or maybe I was just ignorant to it? It's at the point now where I run into cheaters frequently enough that I find it hard to justify investing time into multiplayer games anymore.
I can only assume the recent uptick is due to games adding tradable cosmetic items which has made it financially viable to cheat as most cheaters seem happy to drop a lot of money on cheats as well as $80 to re-buy a game once they eventually get banned.
In general, hardware/GPU/MAC signature hash checks are the only consistent way to bind player account histories, and even then cheats will change their identity with new hardware on fake postal addresses. Best to add a few weeks delay with "reviewing" ban status to prevent them returning hardware to retailers. Each day randomly permute which hardware signature trips the auto-re-ban after a random number of minutes.
Cheaters ruin the fun for everyone including themselves. Admins need to provide a personal cost deterrent for problem users, and randomly hang the game for people using code mods.
Let the ban hammer fall =3
Cheating in online games is a scourge and I really don't understand why people do it. It's one person selfishly getting a "win" at the expense of ~60 other people in that match having their time, pleasure, potentially money absolutely wasted.
I think even more infuriating than blatant hacking is this epidemic of "micro cheating" for lack of a better way to put it that I've seen prevalent in some games that just boost some stats or reactions by amounts large enough to help the cheater but low enough where new or inexperienced players have absolutely no way of telling if someone is cheating or genuinely good especially in games with high skill ceilings. At least when it's blatant you can leave without time wasted but when they're doing it subtly you end up getting tilted and spending the whole match with a bad taste in your mouth second guessing if someone is actually playing fair or not. Chivalry 2 is a really bad offender for this, once you notice it you can't unnotice it anymore, almost every match will have at least one guy with his swing/move speed adjusted by ~10% and in a game where swing manipulation is a legitimate mechanic it can be borderline impossible to catch someone out on it unless you're really paying attention.
Perhaps not applicable to a hidden web browser in counter strike but for public webpages you can apply the same fingerprint technique and only include the payload on _some_ page loads for non-fingerprinted users.
Has a very nice advantage of if they go looking for fingerprinting they may or may not find it by random chance. It is security through obscurity but by making the bar higher for ban evasion you did actually remove a lot of people.
>We Outsmarted CSGO Cheaters by Exploiting the Client
Fixed
I know there's a steam client setting now to clear the data of the overlay browser (either on exit, or manually? Can't remember) - does that affect the VGUI browser?
I don't know about CS, but TF2 has the ability to disable server MOTDs - how does that affect this?
At the part were he writes about the human analysis of game data, I thought the article would end up with training an AI or just statistical analysis on that data to identify players. That would have been a little more interesting (but harder to do) than exploiting the game.
Couldn’t you stop cheaters by just looking at how their telemetry metrics are different from the baseline? If you get to a point where the cheater has to cheat to only be as good as a median player in the lobby in order to evade detection, you’ve effectively neutered it.
I always felt that valve didn't go far enough to prosecute cheaters (back in the day). I wonder if there are metrics out there for how effective methods like Overwatch actually were.
Would it be worth charging for CSGO? Or Counter-Strike 2, whatever the latest is? Because being banned by Steam ID might mean something if you have to pay $10 each time for the privilege.
> I'm not being funny and I mean no disrespect.
> But cheaters are cunts. They're cunts now, they've always been cunts.
> And the only thing that's going to change is they're going to become bigger cunts.
> Maybe have some more cunt kids.
That statement is really shows how big of a dick you are, like come on man, it's just a game. Without learning game cheats and writing trojans and botnets since 14, although I'm kind of clean now, I wouldn't have mastered C++, C# and Java together and later get deep into computer science (and cybersecurity to some extent).
I suppose different people are entitled to different opinions about fingerprinting, but I reckon it only takes working on a single project where this is a real issue for you to change your mind.
We do behavioural analysis on top of various fingerprinting for bot detection - some people are trying really hard to ruin the internet!
I suspect a sufficiently advanced server side behaviour analysis could do a pretty good job discovering cheaters.
a bit late to the party, but recently watched this video: https://www.youtube.com/watch?v=x-EbjGSRyKA
Interested to hear thoughts on this level of both cheating and detecting cheats
I wonder what kind of theories these cheaters invented to explain how they were getting caught.
banning by public IP is a rookie mistake. ISP will change their IP automatically over time, they charge extra for static IP. So what youre actually doing is banning anyone who ever receives that IP in the future.
Catching/stopping people who want to cheat for profit is something I personally think is never going to happen.
For a time, I would buy keys for CS:GO and different Steam accounts and use a subscription based cheat provider to provide me with ESP/chams on screen. I knew that overwatch/admins would be seeing the demos as the accounts were new Starting from unranked meant you would be under scrutiny already so I adjusted my playstyle.
I learned not to linger around looking at walls. People's movement patterns and decision making eventually became predictable as I reviewed demos or learned in the middle of a match how players have habits and abused that information. I was able to determine when to throw a round away to avoid suspicion and deliberately ensured I had a string of 2/3 bad games every so often so my K/D wasn't insane. I never used any aim assists, spinbots etc., and I always, always communicated with my team through ingame VOIP (not giving cheat calls) and maintained a legit facade.
I went undetected for nearly 2 years and sold hundreds of CS accounts successfully and made a tidy profit doing it. It's another string of the gaming industry that brings in money and it will never go away.
I like to think of it as an online drug war, however insensitive that may seem.
Seems trivially easy to hit their evade scenario though.
If I merely change the mac address in the device connected to my cable modem, I get a new IP, every time. Combined with the fact that the game is free, so you can easily make new steam accounts.
>Now, in order for a player to appear to us as a "fresh player" they would need to change their Steam ID, IP address and Steam installation folder. As you can imagine, no one is going to do the latter.
Really? I would expect that a dedicated cheater would reinstall Windows (or reload from a snapshot) every time they are caught.
I loved the idea!! How clever. Congrats on your accomplishment, I learned a lot from your approach. Thanks for sharing.
> Wonderful, we have found a way to silently persist a cookie for each player as they join the server.
This violates GDPR, no?
Edit: It sounds like this took place before GDPR was being enforced.
> M̶a̶y̶b̶e̶ ̶h̶a̶v̶e̶ ̶s̶o̶m̶e̶ ̶m̶o̶r̶e̶ ̶c̶u̶n̶t̶ ̶k̶i̶d̶s̶.̶
He took that back. A very clever nod to In Bruges. Well played sir.
Feels disgusting with the hidden fingerprinting but very technically impressive!
I got 404
Still doing IP bans in the year 2024? Lmao.
I hope they asked permissions for storing those cookies. Otherwise they're violating various EU laws.
For UT2004, you can ban by player GUID (a hash of the CD key) or IP. With the game abandoned by Epic, a number of key generators have cropped up, which makes GUID bans useless. IP bans only go so far with VPNs costing $2 these days.
The main solutions we have today are IP ban + VPN blocking using a database of known VPN subnets and adding them all to the firewall, and a similar fingerprinting technique which scans their folder structure of certain system folders.