Multiplayer Games - Security Risk??

I’m working on a multiplayer game, and I’ve made lots of headway. The multiplayer is working pefectly using port forwarding. My question is: Is port forwarding a security risk?? :confused: If so, is there any way to stop hacking while leaving the port open?

I’m not sure if this is the right platform for this kind of question. To answer this qestion you need a very good knowledge on networking. I would be interessted in the answer as well, but I suggest to ask that at a network developer forum.

It depends on the service that’s using the port. If the service (the part of your game responsible for network communication) is in some way vulnerable, than the fact that some public computer can communicate with it, over a specified port, could be a potential problem.

Although, I don’t think there’s anything about an open port, by itself, that makes a computer vulnerable.

I 2nd the recommendation given by Monster (you should talk to experts), and further recommend that you run your own tests with well known penetration testing tools like Nessus/Metasploit.

If there is anything obviously wrong with your set-up, those tools should provide you with the appropriate warnings.

However, even if everything in your game doesn’t allow someone to do something malicious to the overall host system, a clever hacker can still send bogus data, and therefore cheat in your game.

For example, I can write a program that will intercept packets which describe my position in the gamespace, and modify the payload to indicate some other position. If your server is fairly simple, and has no facilities to confirm data integrity, it will translate my position to whatever position I want within the gamespace.

I would essentially have the ability to teleport wherever, and whenever I want. :cool:

However, even if everything in your game doesn’t allow someone to do something malicious to the overall host system, a clever hacker can still send bogus data, and therefore cheat in your game.

For example, I can write a program that will intercept packets which describe my position in the gamespace, and modify the payload to indicate some other position. If your server is fairly simple, and has no facilities to confirm data integrity, it will translate my position to whatever position I want within the gamespace.
+1

However, perhaps a better way to stop hackers would be to do the physics on the server and then send the results back to the client computers. For example:

Client Computer: Send keyboard data.
Server: Compute physics and gameplay.
Server: Send the player position and orientation to the client.

Therefore, the graphics would be rendered by the local machine, but gameplay is done on the server. The only problem with this setup might be lag (but a good losses compression algorithm would solve that problem).

Related to network security and Python, possibly relevant. Depends on what kind of data you are using:
http://www.python.org/doc/2.2.3/lib/pickle-sec.html

There are VERY very few games out there that use server-side physics (exclusively). You’re correct that the problem is lag, but even with a 50ms average ping from client to server, you’re going to notice the delay between pressing the forward key and moving forward.

Even if you’re on a LAN connection playing a semi-modern game (say Team Fortress 2) the player’s location on his screen is slightly off from how the server sees him. You can pretty easily see this.

A lot of servers will attempt to “predict” movement so that it’s a bit more accurate on everybody’s computers, but more or less they do client-side everything else.

Also… even with a “only send input data and the server calculates physics” one could still write an Aimbot program to insta-headshot people… it would just have to send the right mouse data.

-Sam

You’re correct that the problem is lag, but even with a 50ms average ping from client to server, you’re going to notice the delay between pressing the forward key and moving forward.
How about a multi-sided physics approach? (Since the physics engine is the same on both ends) the results of the physic engine should be similar. Both the client and server could run the physics separate. However, if the position of the client is significantly different from that of the server position (aka: cheating), then the game would use the position generated by the server rather than the client (In addition, the server could updated the client with the “true” position). This would work very well, you would not be able to see a big difference, and it would minimize lag.

There are VERY very few games out there that use server-side physics (exclusively).
I’m not sure if World of Warcraft uses the same approach as stated above, but they run (at least some) of the physics on a server.

Also… even with a “only send input data and the server calculates physics” one could still write an Aimbot program to insta-headshot people… it would just have to send the right mouse data.
Like most (if not all) games, there is no way to stop that. (But then again, an Aimbot isn’t all out hacking. Aimbots simply take the fun out of the game for the person using it).

Which “physics?” The only real “physics” it has are collisions with the environment, jumping, and movement… which are not really done on the server. If you’ve played it, you’ll notice that when you’re lagging, you can move your character around very smoothly. If your connection drops, you get to keep running around until it times out.

I’ve even been able to use speed increasing spells for MUCH longer periods of time (and thus cover more distance) when I lagged in WoW (the removal of the spell effect seemed to require a server response, so even though the spell timer had 0 seconds remaining, I still had the speed on my client).

Regardless, a “mixed” approach would definitely be best, but for the most part all of this is off-topic :D. The author of this thread never asked how to stop cheaters, so now I’ll stop rambling!

-Sam

The OP has his answer, so I don’t think there is anything “improper” about further discussion, even if it wasn’t in the scope of the original question.

Anyway, my thoughts on this:

Regardless of the event triggered by the player in local gamespace, the effects of that event need to be propagated to all other clients that are within the same update domain. If my physics engine calculated that the box fell next to a door, and your physics engine calculated that it fell on the stairs, we have a major discrepancy, and that means spending time to correct it, and then sending updates to everyone anyway.

Maybe just sending raw position/orientation data (with the client doing interpolation between old and new position/orientation) would actually be more effective, not just in overall performance, but also in keeping everyone in sync.

If I were making a multiplayer game, I would run the physics server side.

Assuming we’re using floats of 4 bytes each, the 3 elements that describe position, plus the 9 that describe the orientation, give us 48 bytes (raw) per object…that’s nothing. I mean, I see no reason to run physics client-site, and further complicate the architecture for a few hundred bytes (even if I had no compression options).

Not with todays modems.

Thanks guys for the help. It looks like im going to have to buy server hosting. Anyone know where I can get some as cheap as web hosting??

My idea for the multiplayer is–>
Client–> Send Input to Server
Server–> Recieve keys pressed from client
Server–> Update character(move forward, turn, etc.)
Server–> Send position and orientation of that object to ALL clients(Including name of object…)
All Clients–> Update there screens with the new position

You HAVE to have some server side physics anyways, because if you didn’t, the clients would go right through eachother…know what I mean?